PT-2024-11: Local file Inclusion in Cacti Vendor: CactiProduct: CactiVulnerable version: 1.2.25Vulnerability type:- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')Identifier (ID):BDU:2024-03557CVE-2023-49084Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Severity (CVSSv3.1): 8.8 (high)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N- Severity (CVSSv4.0): 8.7 (high)Description:The vulnerability was identified in Cacti version 1.2.25 and below. It leads to the possibility of executing arbitrary code on the server. The vulnerability can be exploited by an authorized user using SQL injection and due to insufficient processing of the path to the included file.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 20.12.2023Recommendations: Update to version 1.2.26 or higherAdditional information: Security AdvisoryResearcher: Aleksey Solovev (Positive Technologies)