Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via `header` PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Configurations
History
18 Mar 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Nov 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Nov 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Oct 2023, 19:53
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
|
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List |
13 Oct 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Sep 2023, 15:10
Type | Values Removed | Values Added |
---|---|---|
First Time |
Cacti cacti
Cacti |
|
References | (MISC) https://github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59x - Exploit, Vendor Advisory | |
CPE | cpe:2.3:a:cacti:cacti:1.2.24:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
05 Sep 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-05 22:15
Updated : 2024-03-18 20:15
NVD link : CVE-2023-39364
Mitre link : CVE-2023-39364
CVE.ORG link : CVE-2023-39364
JSON object : View
Products Affected
fedoraproject
- fedora
cacti
- cacti
CWE
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')