| Name | CVE-2020-14295 |
| Description | A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 963139 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| cacti (PTS) | jessie, jessie (lts) | 0.8.8b+dfsg-8+deb8u10 | fixed |
| stretch (security), stretch (lts), stretch | 0.8.8h+ds1-10+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 1.2.2+ds1-2+deb10u6 | fixed |
| bullseye | 1.2.16+ds1-2+deb11u3 | fixed |
| bullseye (security) | 1.2.16+ds1-2+deb11u4 | fixed |
| bookworm | 1.2.24+ds1-1+deb12u4 | fixed |
| bookworm (security) | 1.2.24+ds1-1+deb12u2 | fixed |
| sid, trixie | 1.2.28+ds1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| cacti | source | wheezy | (unfixed) | end-of-life | | |
| cacti | source | jessie | (not affected) | | | |
| cacti | source | stretch | (not affected) | | | |
| cacti | source | buster | (not affected) | | | |
| cacti | source | (unstable) | 1.2.13+ds1-1 | | | 963139 |
Notes
[buster] - cacti <not-affected> (Vulnerability introduced later)
[stretch] - cacti <not-affected> (Vulnerability introduced later)
[jessie] - cacti <not-affected> (Vulnerability introduced later)
https://github.com/Cacti/cacti/issues/3622
Fixed by: https://github.com/Cacti/cacti/commit/cc1a656f37b08c0c45667c119a44a3751271ac6e
Introduced with the fix for https://github.com/Cacti/cacti/issues/2839
Introduced by: https://github.com/Cacti/cacti/commit/b87747c38ba58e8cf6507d4f1f8476d1df567556 (1.2.6)