CVE-2023-49085: 
Cacti vulnerability analysis and mitigation

Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, a SQL injection vulnerability was discovered in the pollers.php script that allows authorized users to execute arbitrary SQL code (GitHub Advisory). The vulnerability was assigned CVE-2023-49085 and was disclosed on December 22, 2023.

The vulnerability exists in the pollers.php file's form_save function, where the poller_host_duplicate function is called with an unsanitized dbhost parameter. The SQL injection vulnerability is present on line 427 of the poller_host_duplicate function, where the $host variable controlled by the attacker is used directly in an SQL query. The vulnerability has a CVSS v3.1 base score of 8.8 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory, NVD).

The vulnerability allows an authenticated user to execute arbitrary SQL code, which could lead to database manipulation, data exfiltration, and potential remote code execution when chained with other vulnerabilities. The SQL injection supports multi-queries, enabling multiple arbitrary SQL queries to be executed in a single database access (GitHub Advisory).

The vulnerability was fixed in Cacti version 1.2.26. Organizations are advised to upgrade to this or a later version. For Debian 10 buster, the fix is available in version 1.2.2+ds1-2+deb10u6 (Debian Advisory). Fedora has also released updates to address this vulnerability in version 1.2.27 (Fedora Update).