CVE-2020-35701

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Cacti versions 1.2.x through 1.2.16

Description: A SQL injection issue in data debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site id parameter, potentially leading to remote code execution.

Recommendations: For Cacti versions 1.2.x through 1.2.16, as a temporary workaround, consider restricting access to the data debug.php file until a patch is available. Avoid using the site id parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2021-2264

ALT-PU-2025-1813

CVE-2020-35701

OPENSUSE-SU-2021:0755-1

OPENSUSE-SU-2021:0787-1

OPENSUSE-SU-2021_0755-1

OPENSUSE-SU-2024:10670-1

USN-5214-1

Affected Products

Alt Linux

Cacti

Linuxmint

Suse

Ubuntu

CVE-2020-35701

Weakness Enumeration

Related Identifiers

Affected Products

References · 82