Cacti graph_view.php RCE via graph_start Parameter Injection

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Cacti 安全漏洞

Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据，使用RRDtool绘画图形进行分析，并提供数据和用户管理功能。 Cacti 0.8.6-d之前版本存在安全漏洞，该漏洞源于graph_view.php脚本对graph_start参数处理不当，可能导致远程命令执行。

N/A

N/A