CVE-2023-39359

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-39359
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39359.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-39359
Aliases
  • GHSA-q4wh-3f9w-836h
Related
Published
2023-09-05T21:15:46Z
Modified
2024-10-12T11:02:21.172548Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the graphs.php file. When dealing with the cases of ajaxhosts and ajaxhosts_noany, if the site_id parameter is greater than 0, it is directly reflected in the WHERE clause of the SQL statement. This creates an SQL injection vulnerability. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / cacti

Package

Name
cacti
Purl
pkg:deb/debian/cacti?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.16+ds1-2+deb11u2

Affected versions

1.*

1.2.16+ds1-2
1.2.16+ds1-2+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / cacti

Package

Name
cacti
Purl
pkg:deb/debian/cacti?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.24+ds1-1+deb12u1

Affected versions

1.*

1.2.24+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / cacti

Package

Name
cacti
Purl
pkg:deb/debian/cacti?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25+ds1-1

Affected versions

1.*

1.2.24+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/cacti/cacti

Affected ranges

Type
GIT
Repo
https://github.com/cacti/cacti
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

releaes/1.*

releaes/1.2.19

release/1.*

release/1.0.0
release/1.0.1
release/1.0.2
release/1.0.3
release/1.0.4
release/1.0.5
release/1.0.6
release/1.1.0
release/1.1.1
release/1.1.11
release/1.1.12
release/1.1.13
release/1.1.14
release/1.1.15
release/1.1.16
release/1.1.17
release/1.1.18
release/1.1.19
release/1.1.2
release/1.1.20
release/1.1.21
release/1.1.22
release/1.1.23
release/1.1.24
release/1.1.25
release/1.1.26
release/1.1.27
release/1.1.28
release/1.1.29
release/1.1.3
release/1.1.30
release/1.1.31
release/1.1.32
release/1.1.33
release/1.1.34
release/1.1.35
release/1.1.36
release/1.1.37
release/1.1.38
release/1.1.4
release/1.1.5
release/1.1.6
release/1.1.7
release/1.1.8
release/1.2.0
release/1.2.0-beta1
release/1.2.0-beta2
release/1.2.0-beta3
release/1.2.0-beta4
release/1.2.1
release/1.2.10
release/1.2.11
release/1.2.12
release/1.2.13
release/1.2.14
release/1.2.15
release/1.2.16
release/1.2.17
release/1.2.18
release/1.2.19
release/1.2.2
release/1.2.20
release/1.2.21
release/1.2.22
release/1.2.23
release/1.2.24
release/1.2.3
release/1.2.4
release/1.2.5
release/1.2.6
release/1.2.7
release/1.2.8
release/1.2.9