Unauthenticated SQL Injection in graph_view.php in Cacti
CVE-2023-39361

9.8CRITICAL

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
5 September 2023

What is CVE-2023-39361?

Cacti, an open-source operational monitoring framework, is vulnerable to an SQL injection attack via graph_view.php. By default, this script is accessible to guest users without requiring authentication. This configuration poses significant risks, allowing potential attackers to exploit the vulnerability, possibly resulting in unauthorized administrative privileges or remote code execution. Users are strongly encouraged to upgrade to version 1.2.25 to mitigate this risk, as no workarounds are available.

Affected Version(s)

cacti < 1.2.25

References

https://github.com/Cacti/cacti/security/advisories/GHSA-6...
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.