Vulnerability Description
SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via a crafted rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which causes the POST or cookie value to bypass the validation routine, but inserts the $_GET value into the resulting query.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cacti | Cacti | <= 0.8.7e |
Related Weaknesses (CWE)
References
- http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injectioExploit
- http://secunia.com/advisories/41041
- http://www.cacti.net/changelog.php
- http://www.debian.org/security/2010/dsa-2060
- http://www.vupen.com/english/advisories/2010/2132
- https://rhn.redhat.com/errata/RHSA-2010-0635.html
- http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injectioExploit
- http://secunia.com/advisories/41041
- http://www.cacti.net/changelog.php
- http://www.debian.org/security/2010/dsa-2060
- http://www.vupen.com/english/advisories/2010/2132
- https://rhn.redhat.com/errata/RHSA-2010-0635.html
FAQ
What is CVE-2010-2092?
CVE-2010-2092 is a vulnerability with a CVSS score of 7.5 (HIGH). SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via a crafted rra_id parameter in a GET request in conjunction with a val...
How severe is CVE-2010-2092?
CVE-2010-2092 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-2092?
Check the references section above for vendor advisories and patch information. Affected products include: Cacti Cacti.