CVE-2020-14295
published 2020-06-17CVE-2020-14295: A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because…
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.33%
99.7th percentile
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 1.2.13+ds1-1 | 1.2.13+ds1-1 |
| cacti | cacti | >= 0 < 1.2.13+ds1-1 | 1.2.13+ds1-1 |
| cacti | cacti | >= 0 < 1.2.13+ds1-1 | 1.2.13+ds1-1 |
| cacti | cacti | >= 0 < 1.2.13+ds1-1 | 1.2.13+ds1-1 |
| cacti | cacti | >= 0 < 0.8.8f+ds1-4ubuntu4.16.04.2+esm1 | 0.8.8f+ds1-4ubuntu4.16.04.2+esm1 |
| cacti | cacti | >= 0 < 1.1.38+ds1-1ubuntu0.1~esm1 | 1.1.38+ds1-1ubuntu0.1~esm1 |
| cacti | cacti | >= 0 < 1.2.10+ds1-1ubuntu1+esm1 | 1.2.10+ds1-1ubuntu1+esm1 |
| debian | cacti | < cacti 1.2.13+ds1-1 (bookworm) | cacti 1.2.13+ds1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-↗
- →Monitor HTTP GET requests to /cacti/color.php containing SQL metacharacters (e.g., single quotes, UNION SELECT, stacked semicolons) in the 'filter' query parameter. ↗
- →Detect stacked SQL queries targeting the Cacti 'settings' table — specifically UPDATE statements setting 'path_php_binary' to an attacker-controlled shell command, followed by a trigger via host.php?action=reindex. ↗
- →Alert on HTTP requests to /cacti/host.php?action=reindex immediately following suspicious requests to color.php, as this is the trigger step for RCE after the SQLi payload is planted. ↗
- →Look for reverse shell indicators on the host: creation of /tmp/f as a named pipe (mkfifo) combined with outbound nc (netcat) connections, which is the payload delivered via this exploit. ↗
- →Detect UNION-based SQL injection in color.php filter parameter targeting the user_auth table to harvest credentials: look for 'UNION+SELECT' and 'from+user_auth' in URL query strings. ↗
- ·Exploitation requires authenticated admin-level access to Cacti; this is not an unauthenticated vulnerability. Detections should account for the attacker first authenticating via /cacti/index.php before issuing the SQLi payload. ↗
- ·The exploit resets the path_php_binary value after execution, which may limit forensic artefacts in the settings table post-exploitation. ↗
- ·Fixed in Cacti 1.2.13; Debian packages resolved in 1.2.13+ds1-1. Ensure patched version is deployed to eliminate the attack surface entirely. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
vendor_debian7.2HIGH
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cacti vulnerabilities
osv·2022-06-09·CVSS 4.3
CVE-2020-13230 [MEDIUM] cacti vulnerabilities
cacti vulnerabilities
It was discovered that Cacti was incorrectly validating permissions
for user accounts that had been recently disabled. An authenticated
attacker could possibly use this to obtain unauthorized access to
application and system data. (CVE-2020-13230)
It was discovered that Cacti was incorrectly performing authorization
checks in auth_profile.php. A remote unauthenticated attacker could
use this to perform a CSRF attack and set a new admin email or make
other changes. This issue only affected Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-13231)
It was discovered that Cacti incorrectly handled user provided input
sent through request parameters to the color.php script. A remote
authenticated attacker could use this issue to perform SQL injection
attacks. This issue o
GHSA
GHSA-rwpv-9gq4-x5g3: A SQL injection issue in color
ghsa_unreviewed·2022-05-24
CVE-2020-14295 [MEDIUM] CWE-89 GHSA-rwpv-9gq4-x5g3: A SQL injection issue in color
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
OSV
CVE-2020-14295: A SQL injection issue in color
osv·2020-06-17·CVSS 7.2
CVE-2020-14295 [HIGH] CVE-2020-14295: A SQL injection issue in color
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Ubuntu
Cacti vulnerabilities
vendor_ubuntu·2022-06-09·CVSS 4.3
CVE-2020-14424 [MEDIUM] Cacti vulnerabilities
Title: Cacti vulnerabilities
Summary: Several security issues were fixed in Cacti.
It was discovered that Cacti was incorrectly validating permissions
for user accounts that had been recently disabled. An authenticated
attacker could possibly use this to obtain unauthorized access to
application and system data. (CVE-2020-13230)
It was discovered that Cacti was incorrectly performing authorization
checks in auth_profile.php. A remote unauthenticated attacker could
use this to perform a CSRF attack and set a new admin email or make
other changes. This issue only affected Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-13231)
It was discovered that Cacti incorrectly handled user provided input
sent through request parameters to the color.php script. A remote
authenticated attacker could
Debian
CVE-2020-14295: cacti - A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL...
vendor_debian·2020·CVSS 7.2
CVE-2020-14295 [HIGH] CVE-2020-14295: cacti - A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL...
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Scope: local
bookworm: resolved (fixed in 1.2.13+ds1-1)
bullseye: resolved (fixed in 1.2.13+ds1-1)
forky: resolved (fixed in 1.2.13+ds1-1)
sid: resolved (fixed in 1.2.13+ds1-1)
trixie: resolved (fixed in 1.2.13+ds1-1)
No detection rules found.
Exploit-DB
Cacti 1.2.12 - 'filter' SQL Injection
exploitdb·2021-04-29·CVSS 7.2
CVE-2020-14295 [HIGH] Cacti 1.2.12 - 'filter' SQL Injection
Cacti 1.2.12 - 'filter' SQL Injection
---
# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
# Date: 04/28/2021
# Exploit Author: Leonardo Paiva
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz
# Version: 1.2.12
# Tested on: Ubuntu 20.04
# CVE : CVE-2020-14295
# Credits: @M4yFly (https://twitter.com/M4yFly)
# References:
# https://github.commandcom/Cacti/cacti/issues/3622
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
#!/usr/bin/python3
import argparse
import requests
import sys
import urllib.parse
from bs4 import BeautifulSoup
# proxies = {'http': 'http://127.0.0.1:8080'}
def login(url, username, password, session):
print("[+] Connecting to the server...")
get_token_request =
Metasploit
Cacti color filter authenticated SQLi to RCE
metasploit
Cacti color filter authenticated SQLi to RCE
Cacti color filter authenticated SQLi to RCE
This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.
Bugzilla
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution
bugzilla·2020-06-19·CVSS 7.2
CVE-2020-14295 [HIGH] CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Reference:
https://github.com/Cacti/cacti/issues/3622
Discussion:
Created cacti tracking bugs for this issue:
Affects: epel-all [bug 1849135]
Affects: fedora-all [bug 1849134]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [epel-all]
bugzilla·2020-06-19·CVSS 7.2
CVE-2020-14295 [HIGH] CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [epel-all]
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple s
Bugzilla
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [fedora-all]
bugzilla·2020-06-19·CVSS 7.2
CVE-2020-14295 [HIGH] CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [fedora-all]
CVE-2020-14295 cacti: SQL injection in color.php can lead to remote command execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlhttp://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.htmlhttps://github.com/Cacti/cacti/issues/3622https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/https://security.gentoo.org/glsa/202007-03http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlhttp://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.htmlhttps://github.com/Cacti/cacti/issues/3622https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/https://security.gentoo.org/glsa/202007-03
2020-06-17
Published