Candidate: CVE-2020-14295
PublicDate: 2020-06-17 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
 https://github.com/Cacti/cacti/issues/3622
Description:
 A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to
 inject SQL via the filter parameter. This can lead to remote command
 execution because the product accepts stacked queries.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_cacti:
 upstream: https://github.com/Cacti/cacti/commit/cc1a656f37b08c0c45667c119a44a3751271ac6e
upstream_cacti: released (1.2.13)
precise/esm_cacti: DNE
trusty_cacti: ignored (out of standard support)
trusty/esm_cacti: DNE (trusty was not-affected [code not present])
xenial_cacti: ignored (end of standard support, was not-affected [code not present])
bionic_cacti: needed
eoan_cacti: ignored (reached end-of-life)
focal_cacti: needed
groovy_cacti: ignored (reached end-of-life)
hirsute_cacti: not-affected (1.2.16+ds1-2ubuntu1)
impish_cacti: not-affected (1.2.16+ds1-2ubuntu1)
jammy_cacti: not-affected (1.2.16+ds1-2ubuntu1)
devel_cacti: not-affected (1.2.16+ds1-2ubuntu1)