CVE-2020-8813
Description
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- Cacti/Cactidescription
- Range: = 1.2.8
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.11-5.1+ 6 more
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.11-bp151.4.6.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.11-bp151.4.6.1
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization of cookie values in graph_realtime.php allows shell metacharacters to be interpreted as OS commands."
Attack vector
An attacker sends a crafted HTTP request to `graph_realtime.php` containing shell metacharacters (e.g., backticks, `$()`, semicolons) inside a cookie. If the Cacti instance is configured so that a guest user has the "graph real-time" privilege, no authentication is required. The server processes the cookie value without sanitization, passing it to a shell command, which executes the attacker's injected OS commands.
Affected code
The vulnerability resides in `graph_realtime.php` in Cacti 1.2.8. The file reads a cookie value and passes it unsanitized into a command executed by the system shell, allowing shell metacharacters in the cookie to be interpreted as OS commands.
What the fix does
The bundle does not include a patch diff. The advisory [ref_id=1] indicates that Cacti addressed this issue in a later release (the changelog for v1.2.29 and later versions lists multiple security fixes, but CVE-2020-8813 is not explicitly called out in the provided changelog excerpts). The recommended remediation is to upgrade to a patched version of Cacti that properly escapes or validates cookie input before passing it to a shell command.
Preconditions
- configThe Cacti instance must have a guest user with the 'graph real-time' privilege enabled.
- networkThe attacker must be able to send HTTP requests to the Cacti server (network access).
- inputThe attacker must supply shell metacharacters in a cookie value.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M77SS33IDVNGBU566TK2XVULPW3RXUQ4/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAX3LDXPIKWNBGVZSIMZV7LI5K6BZRTO/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEMDQXDRNQYXOME7TACKDVCXZXZNGZE2/mitrevendor-advisory
- security.gentoo.org/glsa/202004-16mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00039.htmlmitremailing-list
- packetstormsecurity.com/files/156537/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlmitre
- packetstormsecurity.com/files/156538/Cacti-1.2.8-Authenticated-Remote-Code-Execution.htmlmitre
- packetstormsecurity.com/files/156593/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlmitre
- packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlmitre
- drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/viewmitre
- gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129mitre
- github.com/Cacti/cacti/issues/3285mitre
- github.com/Cacti/cacti/releasesmitre
- shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/mitre
News mentions
0No linked articles in our index yet.