Bug ID 1218381
Summary VUL-0: CVE-2023-51448: cacti: blind SQL injection in SNMP notification receivers feature
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/389228/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee pstivanin@suse.com
Reporter smash_bz@suse.de
QA Contact security-team@suse.de
CC meissner@suse.com
Target Milestone ---
Found By Security Response Team
Blocker --- 

Cacti provides an operational monitoring and fault management framework.
Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP
Notification Receivers feature in the file `‘managers.php’`. An authenticated
attacker with the “Settings/Utilities” permission can send a crafted HTTP GET
request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the
`‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no
patched versions exist.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51448

You are receiving this mail because: