PT-2020-13962 · Cacti+3 · Cacti+3

Mayfly277

Published

2020-06-17

Updated

2024-06-15

CVE-2020-14295

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cacti version 1.2.12

Description A SQL injection issue in the color.php file allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

Recommendations For Cacti version 1.2.12, avoid using the filter parameter in the color.php file until a patch is available. As a temporary workaround, consider restricting access to the color.php file to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-14295

OPENSUSE-SU-2020:1060-1

OPENSUSE-SU-2020:1106-1

OPENSUSE-SU-2020_1060-1

OPENSUSE-SU-2024:10670-1

USN-5214-1

Affected Products

Cacti

Linuxmint

Suse

Ubuntu

PT-2020-13962 · Cacti+3 · Cacti+3

CVE-2020-14295

Weakness Enumeration

Related Identifiers

Affected Products

References · 68