Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39365: SQL Injection when using regular expressions

Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
#sql#vulnerability

Moderate

netniV published GHSA-v5w7-hww7-2f22

Sep 5, 2023

Affected versions

< 1.2.25

Patched versions

1.2.25, 1.3.0

Description

Summary

As reported by Trend Micro, issues with Cacti Regular Expression validation combined with our external links feature can lead to SQL Injections and subsequent data leakage.

Details

See: ZDI-CAN-20767 and ZDI-CAN-21001

PoC

Is included in the reports.

Impact

Possible unchecked SQL injection and data leakage as reported.

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Weaknesses

Related news

Debian Security Advisory 5550-1

Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907