CVE-2005-10004: 
Cacti vulnerability analysis and mitigation

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. The vulnerability was discovered on January 15, 2005, and assigned CVE-2005-10004. This security flaw affects all versions of Raxnet Cacti prior to version 0.8.6-d (Exploit DB, VulnCheck).

The vulnerability exists in the graph_view.php script where an authenticated user can inject arbitrary shell commands via the graph_start GET parameter. The parameter is improperly handled during graph rendering, allowing for command execution on the underlying operating system. The vulnerability has been assigned a CVSS V4 Base Score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity (VulnCheck).

If exploited, this vulnerability allows attackers to execute commands on the underlying operating system with the privileges of the web server process. This can potentially lead to system integrity compromise and unauthorized access to sensitive information (NVD).

The primary mitigation is to upgrade to Cacti version 0.8.6-d or later. This version contains fixes for the command injection vulnerability (Cacti Downloads).