An SQL injection vulnerability was found in cacti-0.8.8g. Vulnerable code (/cacti/tree.php): switch ($current_type) { case TREE_ITEM_TYPE_HEADER: $i = 0; /* it's nice to default to the parent sorting style for new items */ if (empty($_GET["id"])) { $default_sorting_type = db_fetch_cell("select sort_children_type from graph_tree_items where id=" . $_GET["parent_id"]); }else{ $default_sorting_type = TREE_ORDERING_NONE; } CVE request (includes reproducer): http://seclists.org/oss-sec/2016/q1/590
Created cacti tracking bugs for this issue: Affects: epel-all [bug 1317550]
CVE assignment: http://seclists.org/oss-sec/2016/q1/651
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.