7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Recent assessments:
h00die at May 31, 2021 12:03pm UTC reported:
Authenticated user is able to cause a SQLi in color.php
. This can be used to dump user creds by default. However, it can also be exploited for RCE. cacti databases the executable for php, and with the SQLi we can change the location to be a command injection.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3
lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html
packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
github.com/Cacti/cacti/issues/3622
lists.fedoraproject.org/archives/list/[email protected]/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD
lists.fedoraproject.org/archives/list/[email protected]/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/
lists.fedoraproject.org/archives/list/[email protected]/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE
lists.fedoraproject.org/archives/list/[email protected]/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/
security.gentoo.org/glsa/202007-03
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P