CVE-2014-2708

Name of the Vulnerable Software and Affected Versions Cacti versions 0.8.7g, 0.8.8b, and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in the graph xport.php file, including graph start, graph end, graph height, graph width, graph nolegend, print source, local graph id, or rra id.

Recommendations For Cacti versions 0.8.7g and 0.8.8b, update to a version later than 0.8.8b to resolve the issue. For Cacti versions earlier than 0.8.7g, update to a version later than 0.8.7g to resolve the issue. As a temporary workaround, consider restricting access to the graph xport.php file until a patch is available. Avoid using the parameters graph start, graph end, graph height, graph width, graph nolegend, print source, local graph id, or rra id in the graph xport.php file until the issue is resolved.