9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.533 Medium
EPSS
Percentile
97.6%
Cacti is an open source operational monitoring and fault management
framework. Affected versions are subject to a SQL injection discovered in
graph_view.php. Since guest users can access graph_view.php without
authentication by default, if guest users are being utilized in an enabled
state, there could be the potential for significant damage. Attackers may
exploit this vulnerability, and there may be possibilities for actions such
as the usurpation of administrative privileges or remote code execution.
This issue has been addressed in version 1.2.25. Users are advised to
upgrade. There are no known workarounds for this vulnerability.
Author | Note |
---|---|
Priority reason: The vulnerable page can be accessed without authentication by default and the vulnerability can be exploited remotely and lead to code execution. | |
alexmurray | This was introduced upstream via https://github.com/Cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 and so only 1.2.19 and later were affected. |