CVE-2016-2313

auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
microfocusCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
cacticacti
𝑥
≤ 0.8.8f
opensuseleap
42.1
opensuseopensuse
13.1
opensuseopensuse
13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cacti
bullseye
1.2.16+ds1-2+deb11u3
fixed
bullseye (security)
1.2.16+ds1-2+deb11u4
fixed
bookworm
1.2.24+ds1-1+deb12u4
fixed
bookworm (security)
1.2.24+ds1-1+deb12u2
fixed
sid
1.2.28+ds1-2
fixed
trixie
1.2.28+ds1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cacti
zesty
not-affected
yakkety
not-affected
xenial
Fixed 0.8.8f+ds1-4ubuntu4.16.04.2
released
wily
ignored
trusty
Fixed 0.8.8b+dfsg-5ubuntu0.2
released
precise
ignored
Common Weakness Enumeration
References
http://bugs.cacti.net/view.php?id=2656
http://lists.opensuse.org/opensuse-updates/2016-02/msg00077.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00080.html
http://www.cacti.net/release_notes_0_8_8g.php
http://www.securitytracker.com/id/1037745
https://security.gentoo.org/glsa/201607-05
https://security.gentoo.org/glsa/201711-10
http://bugs.cacti.net/view.php?id=2656
http://lists.opensuse.org/opensuse-updates/2016-02/msg00077.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00080.html
http://www.cacti.net/release_notes_0_8_8g.php
http://www.securitytracker.com/id/1037745
https://security.gentoo.org/glsa/201607-05
https://security.gentoo.org/glsa/201711-10