X4Vak

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** The issue is a Stored Cross-Site-Scripting (XSS) vulnerability that allows an authenticated user to poison data. It is found in the `graphs new.php` file. Several validations are performed, but the `returnto` parameter is directly passed to `form save button`. To bypass this validation, `returnto` must contain `host.php`. This vulnerability can be exploited by a remote attacker using a specially crafted link. **Recommendations** For versions prior to 1.2.25, upgrade to version 1.2.25 or later. For users unable to update, manually filter HTML output as a temporary workaround. Consider restricting access to the `graphs new.php` file until the issue is resolved. Avoid using the `returnto` parameter in the affected API endpoint until the issue is resolved. As a temporary mitigation measure, consider disabling the `form save button` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** An authenticated SQL injection issue was discovered in Cacti, an open source operational monitoring and fault management framework. This issue allows authenticated users to perform privilege escalation and remote code execution. The vulnerability is located in the `graphs.php` file and is related to the `ajax hosts` and `ajax hosts noany` functions. When the `site id` parameter is greater than 0, it is directly reflected in the WHERE clause of the SQL statement, creating an SQL injection vulnerability. **Recommendations** For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the issue. As a temporary workaround, consider restricting access to the `graphs.php` file or disabling the `ajax hosts` and `ajax hosts noany` functions until a patch is applied. Avoid using the `site id` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** Cacti is an open source operational monitoring and fault management framework. A SQL injection vulnerability was discovered in graph view.php. Since guest users can access graph view.php without authentication by default, there could be potential for significant damage if guest users are being utilized in an enabled state. Attackers may exploit this vulnerability, potentially leading to actions such as the usurpation of administrative privileges or remote code execution. **Recommendations** For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the SQL injection vulnerability. As a temporary workaround, consider disabling access to graph view.php for guest users until a patch is available. Restrict access to the vulnerable `graph view.php` file to minimize the risk of exploitation. Avoid using the `grow right pane tree()` function in the affected `graph view.php` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** A defect in the `sql save` function was discovered in Cacti, an open source operational monitoring and fault management framework. When the column type is numeric, the `sql save` function directly utilizes user input. Many files and functions calling the `sql save` function do not perform prior validation of user input, leading to the existence of multiple SQL injection vulnerabilities. This allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. **Recommendations** For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the issue. As a temporary workaround, consider disabling the `sql save` function until a patch is available. Restrict access to the vulnerable functions and files that call the `sql save` function to minimize the risk of exploitation. Avoid using the `sql save` function with numeric column types until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** An authenticated SQL injection issue allows authenticated users to perform privilege escalation and remote code execution. The issue resides in the `reports user.php` file, specifically in the `ajax get branches` function where the `tree id` parameter is passed to the `reports get branch select` function without validation. **Recommendations** For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the issue. As a temporary workaround, consider restricting access to the `reports user.php` file and the `ajax get branches` function until a patch is applied. Avoid using the `tree id` parameter in the affected function until the issue is resolved.