CVE-2019-17357

{"id": "CVE-2019-17357", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-01-21T19:15:13.067", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html", "source": "cve@mitre.org"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947374", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/Cacti/cacti/issues/3025", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202003-40", "source": "cve@mitre.org"}, {"url": "https://www.darkmatter.ae/xen1thlabs/", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947374", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Cacti/cacti/issues/3025", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202003-40", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.darkmatter.ae/xen1thlabs/", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery."}, {"lang": "es", "value": "Cacti versiones hasta 1.2.7, est\u00e1 afectado por una vulnerabilidad de inyecci\u00f3n SQL de graphs.php?template_id= afectando la forma en que son manejados los identificadores de plantilla cuando una cadena y un valor compuesto de id son usados para identificar el tipo de plantilla y la identificaci\u00f3n. Un atacante autenticado puede explotar esto para extraer datos desde la base de datos, o un atacante remoto no autenticado podr\u00eda explotar esto por medio de un ataque de tipo Cross-Site Request Forgery."}], "lastModified": "2024-11-21T04:32:09.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4F5AE29-35EB-4B0E-8304-F5520AAE998B", "versionEndIncluding": "1.2.7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}