CVE-2024-43363

Name	CVE-2024-43363
Description	Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cacti (PTS)	jessie, jessie (lts)	0.8.8b+dfsg-8+deb8u10	vulnerable
	stretch (security), stretch (lts), stretch	0.8.8h+ds1-10+deb9u2	vulnerable
	buster (security), buster, buster (lts)	1.2.2+ds1-2+deb10u6	vulnerable
	bullseye	1.2.16+ds1-2+deb11u3	vulnerable
	bullseye (security)	1.2.16+ds1-2+deb11u4	vulnerable
	bookworm	1.2.24+ds1-1+deb12u4	vulnerable
	bookworm (security)	1.2.24+ds1-1+deb12u2	vulnerable
	sid, trixie	1.2.28+ds1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
cacti	source	jessie	(unfixed)	end-of-life
cacti	source	stretch	(unfixed)	end-of-life
cacti	source	buster	(unfixed)	end-of-life
cacti	source	(unstable)	1.2.28+ds1-1

https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4