Fluid Attacks Database

Description

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	cacti	>=0 <1.2.13+ds1-1	1.2.13+ds1-1
debian 12	cacti	>=0 <1.2.13+ds1-1	1.2.13+ds1-1
debian 11	cacti	>=0 <1.2.13+ds1-1	1.2.13+ds1-1
debian 14	cacti	>=0 <1.2.13+ds1-1	1.2.13+ds1-1

Aliases

1. CVE-2020-142952. NVD-2020-142953. OSV-DEBIAN-2020-142954. OSV-2020-142955. SECURITY-TRACKER-CVE-2020-14295

References

1. https://github.com/0z09e/CVE-2020-142952. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/cacti_filter_sqli_rce.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.