We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Describe the bug
As reported by Eldar Marcussen of xen1thLabs there is a SQL injection vulnerability in Cacti's graphs.php.
Cacti should be not contain SQL vunderabilities
The text was updated successfully, but these errors were encountered:
Resolving Issue #3025
SQL Injection in graphs.php
This was assigned CVE-2019-17357.
Sorry, something went wrong.
@cigamit do you have instructions for reproducing this issue?
Looking at the source code, I am pretty sure that cacti v0.8.8h from Debian Stretch isn't affected, but I would still like to try reproducing the injection.
Just look for a similar section of code in the same php file from 0.8.8. If it uses it in the sQL statement without verifying the number is number, it is affected and needs the same patch.
It has no impact to 0.8.x.
No branches or pull requests