Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-39364

Опубликовано: 05 сент. 2023
Источник: nvd
CVSS3: 3.5
CVSS3: 5.4
EPSS Низкий

Описание

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The auth_changepassword.php file accepts ref as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via header PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:cacti:cacti:1.2.24:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

EPSS

Процентиль: 38%
0.00166
Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-601

Связанные уязвимости

ubuntu логотип

CVE-2023-39364

CVSS3: 3.5
ubuntu
больше 2 лет назад

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via `header` PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian логотип

CVE-2023-39364

CVSS3: 3.5
debian
больше 2 лет назад

Cacti is an open source operational monitoring and fault management fr ...

fstec логотип

BDU:2023-06057

CVSS3: 5.4
fstec
больше 2 лет назад

Уязвимость компонента auth_changepassword.php программного средства мониторинга сети Cacti, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес

suse-cvrf логотип

openSUSE-SU-2023:0275-1

suse-cvrf
больше 2 лет назад

Security update for cacti, cacti-spine

EPSS

Процентиль: 38%
0.00166
Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-601