CVE-2010-2092

SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via a crafted rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which causes the POST or cookie value to bypass the validation routine, but inserts the $_GET value into the resulting query.

Published: May 28, 2010
Updated: Apr 13, 2023
CVE: CVE-2010-2092
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
cacti / cacti	0.5	0.5.x
cacti / cacti	0.8.6k	0.8.6k.x
cacti / cacti	0.8.6d	0.8.6d.x
cacti / cacti	0.6.3	0.6.3.x
cacti / cacti	0.8.7	0.8.7.x
cacti / cacti	0.8.5a	0.8.5a.x
cacti / cacti	0.8.3	0.8.3.x
cacti / cacti	0.6.8	0.6.8.x
cacti / cacti	0.8.2	0.8.2.x
cacti / cacti	0.8.5	0.8.5.x
cacti / cacti	0.6.6	0.6.6.x
cacti / cacti	0.8.7d	0.8.7d.x
cacti / cacti	0.8.7b	0.8.7b.x
cacti / cacti	0.8.7a	0.8.7a.x
cacti / cacti	0.6.2	0.6.2.x
cacti / cacti	0.6.5	0.6.5.x
cacti / cacti	0.8.6f	0.8.6f.x
cacti / cacti	0.8.6g	0.8.6g.x
cacti / cacti	0.8.6j	0.8.6j.x
cacti / cacti	0.8.7c	0.8.7c.x
cacti / cacti	0.6.1	0.6.1.x
cacti / cacti	0.8	0.8.x
cacti / cacti	0.8.6a	0.8.6a.x
cacti / cacti	0.8.6i	0.8.6i.x
cacti / cacti	0.8.6	0.8.6.x
cacti / cacti	0.6.8a	0.6.8a.x
cacti / cacti	0.6.7	0.6.7.x
cacti / cacti	0.8.1	0.8.1.x
cacti / cacti	0.8.4	0.8.4.x
cacti / cacti	0.8.6c	0.8.6c.x
cacti / cacti	0.6.4	0.6.4.x
cacti / cacti	0.8.6b	0.8.6b.x
cacti / cacti	0.8.2a	0.8.2a.x
cacti / cacti	0.8.3a	0.8.3a.x
cacti / cacti	0.8.6h	0.8.6h.x
cacti / cacti	-	0.8.7e.x
cacti / cacti	0.6	0.6.x

Vulnerability Database

289,697

CVE-2010-2092