8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
30.9%
Cacti is an open source operational monitoring and fault management
framework. An authenticated SQL injection vulnerability was discovered
which allows authenticated users to perform privilege escalation and remote
code execution. The vulnerability resides in the reports_user.php
file.
In ajax_get_branches
, the tree_id
parameter is passed to the
reports_get_branch_select
function without any validation. This issue has
been addressed in version 1.2.25. Users are advised to upgrade. There are
no known workarounds for this vulnerability.