Candidate: CVE-2019-17357
PublicDate: 2020-01-21 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17357
 https://github.com/Cacti/cacti/issues/3025
 https://github.com/Cacti/cacti/commit/d6dc48503bbcde0717e7a93df7638fd4796200f4
Description:
 Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection
 vulnerability affecting how template identifiers are handled when a string
 and id composite value are used to identify the template type and id. An
 authenticated attacker can exploit this to extract data from the database,
 or an unauthenticated remote attacker could exploit this via Cross-Site
 Request Forgery.
Ubuntu-Description:
 It was discovered that Cacti has an SQL injection vulnerability affecting how
 template identifiers are handled. An authenticated attacker can exploit this
 to extract data from the database, or an unauthenticated remote attacker
 could exploit this via Cross-Site Request Forgery.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_cacti:
 upstream: https://github.com/Cacti/cacti/commit/d6dc48503bbcde0717e7a93df7638fd4796200f4
upstream_cacti: released (1.2.8)
precise/esm_cacti: DNE
trusty_cacti: ignored (out of standard support)
trusty/esm_cacti: DNE (trusty was needed)
xenial_cacti: ignored (end of standard support, was needed)
bionic_cacti: needed
disco_cacti: ignored (reached end-of-life)
eoan_cacti: ignored (reached end-of-life)
focal_cacti: not-affected (1.2.10+ds1-1ubuntu1)
groovy_cacti: ignored (reached end-of-life)
hirsute_cacti: not-affected (1.2.16+ds1-2ubuntu1)
impish_cacti: not-affected (1.2.16+ds1-2ubuntu1)
jammy_cacti: not-affected (1.2.16+ds1-2ubuntu1)
devel_cacti: not-affected (1.2.16+ds1-2ubuntu1)