CVE-2024-31445

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.27

Description Cacti provides an operational monitoring and fault management framework. A SQL injection vulnerability in the automation get new graphs sql function of api automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In api automation.php line 856, the get request var('filter') is being concatenated into the SQL statement without any sanitization. In api automation.php line 717, the filter of 'filter' is FILTER DEFAULT, which means there is no filter for it.

Recommendations For versions prior to 1.2.27, update to version 1.2.27 to resolve the issue. As a temporary workaround, consider disabling the automation get new graphs sql function until a patch is available. Restrict access to the api automation.php file to minimize the risk of exploitation. Avoid using the get request var('filter') variable in the affected API endpoint until the issue is resolved.