CVE-2010-2092

Name of the Vulnerable Software and Affected Versions Cacti versions 0.8.7e and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands via a crafted rra id parameter in a GET request, in conjunction with a valid rra id value in a POST request or a cookie. This causes the POST or cookie value to bypass the validation routine, but inserts the $ GET value into the resulting query.

Recommendations For Cacti versions 0.8.7e and earlier, as a temporary workaround, consider restricting access to the graph.php file until a patch is available. Avoid using the rra id parameter in GET requests to minimize the risk of exploitation.