CVE-2017-16661 log

Severity Medium
Remote Yes
Type Arbitrary filesystem access
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
Group Package Affected Fixed Severity Status Ticket
AVG-537 cacti 1.1.17-1 1.1.28-1 High Fixed
Date Advisory Group Package Severity Type
02 Dec 2017 ASA-201712-2 AVG-537 cacti High multiple issues