CVE-2020-14295
CVE-2020-14295
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/0z09e/CVE-2020-14295★ 2githubgithub.com/mrg3ntl3m4n/CVE-2020-14295★ 0cve_referencepacketstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49810unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.htmlhttp://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.htmlhttps://github.com/Cacti/cacti/issues/3622https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/https://security.gentoo.org/glsa/202007-03