Vulnerability Description
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
CVSS Score
7.2
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cacti | Cacti | 1.2.12 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlBroken Link
- http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-CoExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-CoExploitThird Party AdvisoryVDB Entry
- https://github.com/Cacti/cacti/issues/3622ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202007-03Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlBroken Link
- http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-CoExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-CoExploitThird Party AdvisoryVDB Entry
- https://github.com/Cacti/cacti/issues/3622ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-14295?
CVE-2020-14295 is a vulnerability with a CVSS score of 7.2 (HIGH). A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
How severe is CVE-2020-14295?
CVE-2020-14295 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-14295?
Check the references section above for vendor advisories and patch information. Affected products include: Cacti Cacti, Fedoraproject Fedora.