CVE-2023-39358SQL Injection in Cacti

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
4.0%
top 11.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedSep 5

Description

Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `reports_user.php` file. In `ajax_get_branches`, the `tree_id` parameter is passed to the `reports_get_branch_select` function without any validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDcacti/cacti< 1.2.25
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)
Debiancacti/cacti< 1.2.24+ds1-1+deb12u1+2

Also affects: Fedora 37, 38

🔴Vulnerability Details

1
OSV
CVE-2023-39358: Cacti is an open source operational monitoring and fault management framework2023-09-05

📋Vendor Advisories

1
Debian
CVE-2023-39358: cacti - Cacti is an open source operational monitoring and fault management framework. A...2023