CVE-2020-14295

Name
CVE-2020-14295
Description
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/Cacti/cacti/issues/3622
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
GENTOO https://security.gentoo.org/glsa/202007-03
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
Exploit http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html
MISC http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cacti:cacti:1.2.12:*:*:*:*:*:*:* cacti == None == 1.2.12

Vulnerable and fixed packages

Source package Branch Version Maintainer Status