CVE-2023-49085
Cacti SQL Injection vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.
Cacti proporciona un framework de monitoreo operativo y gestión de fallos. En las versiones 1.2.25 y anteriores, es posible ejecutar código SQL arbitrario a través del script `pollers.php`. Un usuario autorizado puede ejecutar código SQL arbitrario. El componente vulnerable es `pollers.php`. Impacto de la vulnerabilidad: ejecución de código SQL arbitrario. En el momento de la publicación, no parece existir ningún parche.
Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, or command injection.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-21 CVE Reserved
- 2023-12-22 CVE Published
- 2024-02-05 First Exploit
- 2025-02-13 CVE Updated
- 2025-05-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (6)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|