CVE-2008-0785 – Cacti 0.8.7 - '/index.php/sql.php?Login Action login_username' SQL Injection
https://notcve.org/view.php?id=CVE-2008-0785
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login. Múltiples vulnerabilidades de inyección SQL en Cacti 0.8.7 anterior a 0.8.7b y 0.8.6 anterior a 0.8.6k. que permite a usuarios autentificados remotamente ejecutar comandos SQL de su elección a través de los parámetros: (1) graph_list a graph_view.php, (2) leaf_id e id a tree.php, (3) local_graph_id a graph_xport.php y (4) login_username a index.php/login. • https://www.exploit-db.com/exploits/31161 https://www.exploit-db.com/exploits/31156 https://www.exploit-db.com/exploits/31160 https://www.exploit-db.com/exploits/31159 http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://secunia.com/advisories/30045 http://security.gentoo.org/glsa/glsa-200803-18.xml h • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-0786
https://notcve.org/view.php?id=CVE-2008-0786
CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en Cacti 0.8.7 anterior a 0.8.7b y 0.8.6 anterior a 0.8.6k, cuando se ejecuta en intérpretes PHP antiguos, permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques de división de respuesta HTTP a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://security.gentoo.org/glsa/glsa-200803-18.xml http://securityreason.com/securityalert/3657 http://www.cacti.net/release_notes_0_8_7b.php http://www.mandriva.com/security/advisories?name=MDVSA-2008:052 http://www.securityfocus.com/archive/1/488013/100/0/thr • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2007-6035
https://notcve.org/view.php?id=CVE-2007-6035
SQL injection vulnerability in graph.php in Cacti before 0.8.7a allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. Una vulnerabilidad de inyección SQL en el archivo graph.php en Cacti versiones anteriores a 0.8.7a, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro local_graph_id. • http://bugs.gentoo.org/show_bug.cgi?id=199509 http://secunia.com/advisories/27719 http://secunia.com/advisories/27745 http://secunia.com/advisories/27756 http://secunia.com/advisories/27891 http://secunia.com/advisories/27950 http://security.gentoo.org/glsa/glsa-200712-02.xml http://www.cacti.net/release_notes_0_8_7a.php http://www.debian.org/security/2007/dsa-1418 http://www.mandriva.com/security/advisories?name=MDKSA-2007:231 http://www.novell.com/linux/secur • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •