Unrated severityNVD Advisory· Published Jul 6, 2005· Updated Apr 16, 2026

CVE-2005-2148

Description

Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.

Affected products

The Cacti Group/Cacti15 versions
cpe:2.3:a:the_cacti_group:cacti:0.8:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:the_cacti_group:cacti:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.2a:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.3a:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.5a:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6a:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6b:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6c:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6d:*:*:*:*:*:*:*
- cpe:2.3:a:the_cacti_group:cacti:0.8.6e:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000