Cacti is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include SQL-injection and command-injection issues. Exploiting these issues can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. Cacti 0.8.7e is vulnerable other versions may also be affected.

Updates are available to address the SQL-injection issue. Please see the references for more information.

• http://cacti.net/
• http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php
• http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php
• http://www.securityfocus.com/bid/39639

---

Updated on 2015-03-25