CVE-2020-35701

An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

Published: Jan 11, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-35701
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
cacti / cacti	1.2.0	1.2.16.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x

https://asaf.me/2020/12/15/cacti-1-2-0-to-1-2-16-sql-injection/
https://github.com/Cacti/cacti/issues/4022
https://lists.fedoraproject.org/archives/list/[email protected]/message/6DDD22Z56THHDTXAFM447UH3BVINURIF/
https://lists.fedoraproject.org/archives/list/[email protected]/message/C7DPUWZBAMCXFKAKUAJSHL3CKTOLGAK6/
https://lists.fedoraproject.org/archives/list/[email protected]/message/NBKBR2MFZJ6C2I4I5PCRR6UERPY24XZN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DDD22Z56THHDTXAFM447UH3BVINURIF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7DPUWZBAMCXFKAKUAJSHL3CKTOLGAK6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBKBR2MFZJ6C2I4I5PCRR6UERPY24XZN/
https://security.gentoo.org/glsa/202101-31

Vulnerability Database

289,697

CVE-2020-35701