Fluid Attacks Database

Description

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	cacti	>=0 <1.2.9+ds1-1	1.2.9+ds1-1
debian 12	cacti	>=0 <1.2.9+ds1-1	1.2.9+ds1-1
debian 13	cacti	>=0 <1.2.9+ds1-1	1.2.9+ds1-1
debian 14	cacti	>=0 <1.2.9+ds1-1	1.2.9+ds1-1

Aliases

1. CVE-2020-72372. NVD-2020-72373. OSV-DEBIAN-2020-72374. OSV-2020-72375. SECURITY-TRACKER-CVE-2020-7237

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.