CVE-2023-51448
SQL Injection vulnerability when managing SNMP Notification Receivers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.
Cacti proporciona un framework de monitoreo operativo y gestión de fallos. La versión 1.2.25 tiene una vulnerabilidad de inyección Blind SQL (SQLi) dentro de la función de receptores de notificaciones SNMP en el archivo ``managers.php''. Un atacante autenticado con el permiso "Configuración/Utilidades" puede enviar una solicitud HTTP GET manipulada al endpoint `'/cacti/managers.php'` con un payload SQLi en el parámetro HTTP GET `'selected_graphs_array'`. Al momento de la publicación, no existen versiones parcheadas.
An update that fixes 6 vulnerabilities is now available. This update for cacti, cacti-spine fixes the following issues.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-12-19 CVE Reserved
- 2023-12-22 CVE Published
- 2025-02-13 CVE Updated
- 2025-02-13 First Exploit
- 2025-07-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|