CVE-2024-31445

Summary

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in automation_get_new_graphs_sql function of api_automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In api_automation.php line 856, the get_request_var('filter') is being concatenated into the SQL statement without any sanitization. In api_automation.php line 717, The filter of 'filter' is FILTER_DEFAULT, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
Cacticacti< 1.2.27affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References