Fluid Attacks Database

Description

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in form_save() function in graph_template_inputs.php is not thoroughly checked and is used to concatenate the SQL statement in draw_nontemplated_fields_graph_item() function from lib/html_form_templates.php , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| >=0 <1.2.16+ds1-2+deb11u4	1.2.16+ds1-2+deb11u4
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| >=0 <1.2.24+ds1-1+deb12u3	1.2.24+ds1-1+deb12u3
debian 13	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1
debian 14	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1

Aliases

1. CVE-2024-314582. NVD-2024-314583. OSV-DEBIAN-2024-314584. OSV-2024-314585. SECURITY-TRACKER-CVE-2024-31458

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.