Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-17357

Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery.

Published

2020-01-21T19:15:13.067

Last Modified

2024-11-21T04:32:09.900

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cacti	cacti	≤ 1.2.7	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html ([email protected])
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947374 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/Cacti/cacti/issues/3025 Patch, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202003-40 ([email protected])
https://www.darkmatter.ae/xen1thlabs/ Broken Link ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html (af854a3a-2127-422b-91ae-364da2661108)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947374 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Cacti/cacti/issues/3025 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202003-40 (af854a3a-2127-422b-91ae-364da2661108)
https://www.darkmatter.ae/xen1thlabs/ Broken Link (af854a3a-2127-422b-91ae-364da2661108)