When viewing graphs, some input variables are not properly checked (SQL injection possible)

[cigamit]

Describe the bug
As reported by Eldar Marcussen of xen1thLabs there is a SQL injection vulnerability in Cacti's graphs.php.

Expected behavior
Cacti should be not contain SQL vunderabilities

[carnil]

This was assigned CVE-2019-17357.

[hlef]

@cigamit do you have instructions for reproducing this issue?

Looking at the source code, I am pretty sure that cacti v0.8.8h from Debian Stretch isn't affected, but I would still like to try reproducing the injection.

[netniV]

Just look for a similar section of code in the same php file from 0.8.8. If it uses it in the sQL statement without verifying the number is number, it is affected and needs the same patch.

[TheWitness]

It has no impact to 0.8.x.