Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.
References
Link | Resource |
---|---|
https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/managers.php#L941 | Exploit Vendor Advisory |
https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594 | Exploit Vendor Advisory |
Configurations
History
29 Dec 2023, 19:26
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:cacti:cacti:1.2.25:*:*:*:*:*:*:* | |
Summary |
|
|
First Time |
Cacti
Cacti cacti |
|
References | () https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/managers.php#L941 - Exploit, Vendor Advisory | |
References | () https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594 - Exploit, Vendor Advisory |
22 Dec 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-22 17:15
Updated : 2023-12-29 19:26
NVD link : CVE-2023-51448
Mitre link : CVE-2023-51448
CVE.ORG link : CVE-2023-51448
JSON object : View
Products Affected
cacti
- cacti
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')