mirror of
https://github.com/0xMarcio/cve.git
synced 2025-06-19 17:30:12 +00:00
1.3 KiB
1.3 KiB
CVE-2024-31445
&color=brighgreen)
Description
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in automation_get_new_graphs_sql function of api_automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In api_automation.php line 856, the get_request_var('filter') is being concatenated into the SQL statement without any sanitization. In api_automation.php line 717, The filter of 'filter' is FILTER_DEFAULT, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
POC
Reference
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
- https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
Github
No PoCs found on GitHub currently.