CVE-2005-2148

Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.

Published: Jul 6, 2005
Updated: Nov 9, 2025
CVE: CVE-2005-2148
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
the_cacti_group / cacti	0.8.5	0.8.5.x
the_cacti_group / cacti	0.8.6b	0.8.6b.x
the_cacti_group / cacti	0.8.6c	0.8.6c.x
the_cacti_group / cacti	0.8.6a	0.8.6a.x
the_cacti_group / cacti	0.8.2a	0.8.2a.x
the_cacti_group / cacti	0.8.3a	0.8.3a.x
the_cacti_group / cacti	0.8	0.8.x
the_cacti_group / cacti	0.8.5a	0.8.5a.x
the_cacti_group / cacti	0.8.4	0.8.4.x
the_cacti_group / cacti	0.8.6	0.8.6.x
the_cacti_group / cacti	0.8.3	0.8.3.x
the_cacti_group / cacti	0.8.1	0.8.1.x
the_cacti_group / cacti	0.8.2	0.8.2.x
the_cacti_group / cacti	0.8.6d	0.8.6d.x
the_cacti_group / cacti	0.8.6e	0.8.6e.x

Vulnerability Database

309,636

CVE-2005-2148

Deep Security Visibility Without the Complexity