Headline
CVE-2023-39365: SQL Injection when using regular expressions
Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Moderate
netniV published GHSA-v5w7-hww7-2f22
Sep 5, 2023
Affected versions
< 1.2.25
Patched versions
1.2.25, 1.3.0
Description
Summary
As reported by Trend Micro, issues with Cacti Regular Expression validation combined with our external links feature can lead to SQL Injections and subsequent data leakage.
Details
See: ZDI-CAN-20767 and ZDI-CAN-21001
PoC
Is included in the reports.
Impact
Possible unchecked SQL injection and data leakage as reported.
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Weaknesses
Related news
Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.