Multiple input sanitization flaws were discovered in cacti. Authenticated cacti administrator could use these flaws to run shell commands with web server privileges.
Note: cacti administrator is always allowed to run commands as cacti user.
See also bug #595289 for some related discussion.
*** Bug 586064 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products:
Red Hat HPC Solution for RHEL 5
Via RHSA-2010:0635 https://rhn.redhat.com/errata/RHSA-2010-0635.html