CVE-2023-39359SQL Injection in Cacti

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
4.7%
top 10.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedSep 5

Description

Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php` file. When dealing with the cases of ajax_hosts and ajax_hosts_noany, if the `site_id` parameter is greater than 0, it is directly reflected in the WHERE clause of the SQL statement. This creates an SQL injection vulnerabil

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDcacti/cacti< 1.2.25
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)
Debiancacti/cacti< 1.2.16+ds1-2+deb11u2+3

Also affects: Fedora 37, 38

🔴Vulnerability Details

1
OSV
CVE-2023-39359: Cacti is an open source operational monitoring and fault management framework2023-09-05

📋Vendor Advisories

1
Debian
CVE-2023-39359: cacti - Cacti is an open source operational monitoring and fault management framework. A...2023