CVE-2019-17357 — SQL Injection in Cacti

CWE-89 — SQL Injection7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

16.2%

top 5.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 21

Latest updateMay 24

Description

Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/cacti< cacti 1.2.8+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.2.8+ds1-1+3

▶NVDcacti/cacti1.2.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mxrx-hwh2-j2jm: Cacti through 1↗2022-05-24

▶

OSV

CVE-2019-17357: Cacti through 1↗2020-01-21

▶

📋Vendor Advisories

Debian

CVE-2019-17357: cacti - Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulne...↗2019

▶

💬Community

Bugzilla

CVE-2019-17357 cacti: SQL Injection in graphs.php [epel-all]↗2019-12-26

▶

Bugzilla

CVE-2019-17357 cacti: SQL Injection in graphs.php [fedora-all]↗2019-12-26

▶

Bugzilla

CVE-2019-17357 cacti: SQL Injection in graphs.php↗2019-12-26

▶