CVE-2023-39357: 
Cacti vulnerability analysis and mitigation

A defect in the sql_save function was discovered in Cacti version 1.2.24 and earlier. When the column type is numeric, the sql_save function directly utilizes user input without proper validation. Many files and functions calling the sql_save function do not perform prior validation of user input, leading to multiple SQL injection vulnerabilities. This vulnerability was discovered in September 2023 and has been assigned CVE-2023-39357. The issue affects Cacti's operational monitoring and fault management framework (GitHub Advisory).

The vulnerability exists in the sql_save function where numeric column types (int, float, double, or decimal) are handled without proper input validation. When processing these numeric fields, the function directly incorporates user input into SQL statements through the $array_items array, which is later used by the _db_replace function. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows authenticated users to exploit SQL injection vulnerabilities to perform privilege escalation and remote code execution. Since the application accepts stacked queries, attackers can potentially achieve remote code execution by modifying the 'path_php_binary' value in the database, compromising the system's integrity and confidentiality (GitHub Advisory, Security Online).

The vulnerability has been fixed in Cacti version 1.2.25. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory, Debian Security).

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Debian and Fedora. Debian released DSA-5550-1 and DLA-3765-1 to address this vulnerability along with other security issues in Cacti (Debian LTS, Fedora Update).