SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which bypasses the validation routine.
Guest user privileges are sufficient to trigger this flaw.
This issue has been addressed in following products:
Red Hat HPC Solution for RHEL 5
Via RHSA-2010:0635 https://rhn.redhat.com/errata/RHSA-2010-0635.html