CVE-2020-35701 — SQL Injection in Cacti

CWE-89 — SQL Injection6 documents5 sources

Severity

8.8HIGHNVD

OSV4.3

EPSS

1.8%

top 17.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Fedoraproject Fedora

Timeline

PublishedJan 11

Latest updateJun 9

Description

An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/cacti< cacti 1.2.16+ds1-2 (bookworm)

▶Debiancacti/cacti< 1.2.16+ds1-2+3

▶Ubuntucacti/cacti< 0.8.8f+ds1-4ubuntu4.16.04.2+esm1+2

▶NVDcacti/cacti1.2.0 — 1.2.16

Also affects: Fedora 32, 33, 34

🔴Vulnerability Details

OSV

cacti vulnerabilities↗2022-06-09

▶

GHSA

GHSA-jprc-322p-6cp4: An issue was discovered in Cacti 1↗2022-05-24

▶

OSV

CVE-2020-35701: An issue was discovered in Cacti 1↗2021-01-11

▶

📋Vendor Advisories

Ubuntu

Cacti vulnerabilities↗2022-06-09

▶

Debian

CVE-2020-35701: cacti - An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerabi...↗2020

▶