CVE-2015-0916 — SQL Injection in Cacti

CWE-89 — SQL Injection5 documents5 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.4%

top 42.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedMay 22

Latest updateMay 25

Description

SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/cacti< cacti 0.8.6f-1 (bookworm)

▶Debiancacti/cacti< 0.8.6f-1+3

▶NVDcacti/cacti0.8.6e

Patches

Patch: www.cacti.net ↗Patch: www.cacti.net ↗

🔴Vulnerability Details

GHSA

GHSA-xqwx-r7c6-p379: SQL injection vulnerability in graph↗2022-05-17

▶

OSV

CVE-2015-0916: SQL injection vulnerability in graph↗2015-05-22

▶

💥Exploits & PoCs

Exploit-DB

Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)↗2023-05-25

▶

📋Vendor Advisories

Debian

CVE-2015-0916: cacti - SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote au...↗2015

▶