Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `reports_user.php` file. In `ajax_get_branches`, the `tree_id` parameter is passed to the `reports_get_branch_select` function without any validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-05T21:00:32.426Z
Updated: 2023-09-05T21:00:32.426Z
Reserved: 2023-07-28T13:26:46.480Z
Link: CVE-2023-39358
JSON object: View
NVD Information
Status : Modified
Published: 2023-09-05T22:15:08.733
Modified: 2023-11-03T21:15:14.300
Link: CVE-2023-39358
JSON object: View
Redhat Information
No data.
CWE