CVE-2023-39357Improper Input Validation in Cacti

CWE-20Improper Input ValidationCWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
3.2%
top 12.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedSep 5

Description

Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validation of user input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalat

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5cacti/cacti< 1.2.25
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)
Debiancacti/cacti< 1.2.16+ds1-2+deb11u2+3
NVDcacti/cacti1.2.24

Also affects: Fedora 37, 38

🔴Vulnerability Details

1
OSV
CVE-2023-39357: Cacti is an open source operational monitoring and fault management framework2023-09-05

📋Vendor Advisories

1
Debian
CVE-2023-39357: cacti - Cacti is an open source operational monitoring and fault management framework. A...2023