{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46169", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-11-28T17:27:19.998Z", "datePublished": "2022-12-05T20:48:07.852Z", "dateUpdated": "2025-10-21T23:15:30.343Z"}, "containers": {"cna": {"title": "Unauthenticated Command Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf"}, {"name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216"}, {"name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9"}, {"name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b"}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"version": "< 1.2.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-05T20:48:07.852Z"}, "descriptions": [{"lang": "en", "value": "Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\n\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch."}], "source": {"advisory": "GHSA-6p93-p743-35gf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46169", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T17:39:57.218915Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-02-16", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169"}}}], "affected": [{"cpes": ["cpe:2.3:a:cacti:cacti:-:*:*:*:*:*:*:*"], "vendor": "cacti", "product": "cacti", "versions": [{"status": "affected", "version": "-", "lessThan": "1.2.23", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169", "tags": ["government-resource"]}], "timeline": [{"time": "2023-02-16T00:00:00.000Z", "lang": "en", "value": "CVE-2022-46169 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:15:30.343Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.319Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf"}, {"name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216"}, {"name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9"}, {"name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.319Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46169", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T17:39:57.218915Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-02-16", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169"}}}], "affected": [{"cpes": ["cpe:2.3:a:cacti:cacti:-:*:*:*:*:*:*:*"], "vendor": "cacti", "product": "cacti", "versions": [{"status": "affected", "version": "-", "lessThan": "1.2.23", "versionType": "custom"}], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2023-02-16T00:00:00.000Z", "value": "CVE-2022-46169 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-13T17:40:33.655Z"}}], "cna": {"title": "Unauthenticated Command Injection", "source": {"advisory": "GHSA-6p93-p743-35gf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"status": "affected", "version": "< 1.2.23"}]}], "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "name": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "name": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "name": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\n\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-05T20:48:07.852Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46169", "state": "PUBLISHED", "dateUpdated": "2025-10-21T23:15:30.343Z", "dateReserved": "2022-11-28T17:27:19.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-05T20:48:07.852Z", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cisaActionDue": "2023-03-09", "cisaExploitAdd": "2023-02-16", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Cacti Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*", "matchCriteriaId": "B252EEC1-25BE-428B-96CA-22A0E812D3BA", "versionEndExcluding": "1.2.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\n\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch."}, {"lang": "es", "value": "Cacti es una plataforma de c\u00f3digo abierto que proporciona un framework de gesti\u00f3n de fallos y supervisi\u00f3n operativa robusta y extensible para los usuarios. En las versiones afectadas, una vulnerabilidad de inyecci\u00f3n de comandos permite a un usuario no autenticado ejecutar c\u00f3digo arbitrario en un servidor que ejecuta Cacti, si se seleccion\u00f3 una fuente de datos espec\u00edfica para cualquier dispositivo monitoreado. La vulnerabilidad reside en el archivo `remote_agent.php`. Se puede acceder a este archivo sin autenticaci\u00f3n. Esta funci\u00f3n recupera la direcci\u00f3n IP del cliente a trav\u00e9s de `get_client_addr` y resuelve esta direcci\u00f3n IP en el nombre de host correspondiente a trav\u00e9s de `gethostbyaddr`. Despu\u00e9s de esto, se verifica que existe una entrada dentro de la tabla `poller`, donde el nombre de host corresponde al nombre de host resuelto. Si se encuentra dicha entrada, la funci\u00f3n devuelve \"verdadero\" y el cliente est\u00e1 autorizado. Esta autorizaci\u00f3n se puede omitir debido a la implementaci\u00f3n de la funci\u00f3n `get_client_addr`. La funci\u00f3n se define en el archivo `lib/functions.php` y verifica las variables serval `$_SERVER` para determinar la direcci\u00f3n IP del cliente. Un atacante puede establecer arbitrariamente las variables que comienzan con `HTTP_`. Dado que hay una entrada predeterminada en la tabla `poller` con el nombre de host del servidor que ejecuta Cacti, un atacante puede omitir la autenticaci\u00f3n, por ejemplo, proporcionando el encabezado `Forwarded-For: `. De esta forma, la funci\u00f3n `get_client_addr` devuelve la direcci\u00f3n IP del servidor que ejecuta Cacti. La siguiente llamada a `gethostbyaddr` resolver\u00e1 esta direcci\u00f3n IP en el nombre de host del servidor, que pasar\u00e1 la verificaci\u00f3n del nombre de host `poller` debido a la entrada predeterminada. Despu\u00e9s de omitir la autorizaci\u00f3n del archivo `remote_agent.php`, un atacante puede desencadenar diferentes acciones. Una de estas acciones se llama \"polldata\". La funci\u00f3n llamada `poll_for_data` recupera algunos par\u00e1metros de solicitud y carga las entradas correspondientes de `poller_item` de la base de datos. Si la `acci\u00f3n` de un `poller_item` es igual a `POLLER_ACTION_SCRIPT_PHP`, la funci\u00f3n `proc_open` se usa para ejecutar un script PHP. El par\u00e1metro controlado por el atacante `$poller_id` se recupera mediante la funci\u00f3n `get_nfilter_request_var`, que permite cadenas arbitrarias. Esta variable luego se inserta en la cadena pasada a `proc_open`, lo que genera una vulnerabilidad de inyecci\u00f3n de comando. Por ejemplo, al proporcionar `poller_id=;id`, se ejecuta el comando `id`. Para llegar a la llamada vulnerable, el atacante debe proporcionar un `host_id` y un `local_data_id`, donde la `acci\u00f3n` del `poller_item` correspondiente est\u00e1 configurada en `POLLER_ACTION_SCRIPT_PHP`. Ambos identificadores (`host_id` y `local_data_id`) pueden ser f\u00e1cilmente forzados por fuerza bruta. El \u00fanico requisito es que exista un `poller_item` con una acci\u00f3n `POLLER_ACTION_SCRIPT_PHP`. Es muy probable que esto ocurra en una instancia productiva porque esta acci\u00f3n se agrega mediante algunas plantillas predefinidas como \"Device - Uptime` o \"Dispositivo - Polling Time\". Esta vulnerabilidad de inyecci\u00f3n de comandos permite a un usuario no autenticado ejecutar comandos arbitrarios si se configura un `poller_item` con el tipo `action` `POLLER_ACTION_SCRIPT_PHP` (`2`). La omisi\u00f3n de autorizaci\u00f3n debe evitarse al no permitir que un atacante haga que `get_client_addr` (archivo `lib/functions.php`) devuelva una direcci\u00f3n IP arbitraria. Esto podr\u00eda hacerse al no respetar las variables `HTTP_...` `$_SERVER`. Si se deben conservar por razones de compatibilidad, al menos se debe evitar falsificar la direcci\u00f3n IP del servidor que ejecuta Cacti. Esta vulnerabilidad se ha solucionado en las versiones 1.2.x y 1.3.x, siendo `1.2.23` la primera versi\u00f3n que contiene el parche."}], "id": "CVE-2022-46169", "lastModified": "2025-10-24T14:47:01.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-05T21:15:10.527", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}