CVE-2005-10004: 
Cacti vulnerability analysis and mitigation

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graphview.php script. The vulnerability was discovered on January 15, 2005, and affects the graph rendering functionality of the Cacti network monitoring system. An authenticated user can exploit this vulnerability through the graphstart GET parameter (NVD, VulnCheck).

The vulnerability exists in the graphview.php script where improper handling of the graphstart GET parameter allows for command injection. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (VulnCheck).

When exploited, this vulnerability allows attackers to execute commands on the underlying operating system with the privileges of the web server process. This can lead to system compromise, potentially allowing attackers to read sensitive data, modify system configurations, or gain persistent access to the affected system (NVD).

The primary mitigation is to upgrade Cacti to version 0.8.6-d or later which contains fixes for this vulnerability. The patch was released on January 19, 2005 (Cacti Archive).