CVE-2010-2092 — SQL Injection in Cacti

CWE-89 — SQL Injection7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 65.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedMay 27

Latest updateMay 17

Description

SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via a crafted rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which causes the POST or cookie value to bypass the validation routine, but inserts the $_GET value into the resulting query.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/cacti< cacti 0.8.7e-4 (bookworm)

▶Debiancacti/cacti< 0.8.7e-4+3

▶NVDcacti/cacti0.8.7e+36

🔴Vulnerability Details

GHSA

GHSA-4j37-prg9-64vh: SQL injection vulnerability in graph↗2022-05-17

▶

OSV

CVE-2010-2092: SQL injection vulnerability in graph↗2010-05-27

▶

📋Vendor Advisories

Red Hat

cacti: graph.php rra_id SQL injection vulnerability (MOPS-2010-023)↗2010-05-20

▶

Debian

CVE-2010-2092: cacti - SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remo...↗2010

▶

💬Community

Bugzilla

CVE-2010-2092 cacti: graph.php rra_id SQL injection vulnerability (MOPS-2010-023)↗2010-06-29

▶

Bugzilla

CVE-2010-1644 CVE-2010-1645 CVE-2010-2092 Cacti v0.8.7f - three security fixes↗2010-05-24

▶