CVE-2024-31445
CVSS v3.1
8.8 (High)
EPSS
0.04 % (16th)
Advisories
3
NVD Status
Awaiting Analysis
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in automation_get_new_graphs_sql
function of api_automation.php
allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In api_automation.php
line 856, the get_request_var('filter')
is being concatenated into the SQL statement without any sanitization. In api_automation.php
line 717, The filter of 'filter'
is FILTER_DEFAULT
, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
Weaknesses
- CWE-89
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CVE Status
- PUBLISHED
- NVD Status
- Awaiting Analysis
- CNA
- GitHub, Inc.
- Published Date
-
2024-05-14 15:25:21
(4 months ago) - Updated Date
-
2024-06-10 17:16:26
(3 months ago)
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...