A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Recent assessments:
h00die at May 31, 2021 12:03pm UTC reported:
Authenticated user is able to cause a SQLi in color.php
. This can be used to dump user creds by default. However, it can also be exploited for RCE. cacti databases the executable for php, and with the SQLi we can change the location to be a command injection.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3
lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html
packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
github.com/Cacti/cacti/issues/3622
lists.fedoraproject.org/archives/list/[email protected]/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD
lists.fedoraproject.org/archives/list/[email protected]/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/
lists.fedoraproject.org/archives/list/[email protected]/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE
lists.fedoraproject.org/archives/list/[email protected]/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/
security.gentoo.org/glsa/202007-03