SQL Injection in cacti/cacti


Reported on

Nov 13th 2021


SQL Injection vulnerability occurs because the input taken from parameters is not sanitized for SQL Injection statement in user_admin.php

user_admin.php:84 update_policies() function contains sql injection vulnerability

get_nfilter_request_var() function takes get/post parameter without sanitizing, so an attacker is able to inject arbitrary data into SQL query


This vulnerability is capable of injection SQL queries

We are processing your report and will contact the cacti team within 24 hours. a year ago
Selim Enes Karaduman modified the report
a year ago
We have contacted a member of the cacti team and are waiting to hear back a year ago
We have sent a follow up to the cacti team. We will try again in 7 days. a year ago
a year ago


@admin is it normal to take that much time for author to response?

Jamie Slome
a year ago


We have sent two e-mails out to the maintainer and are yet to hear back from them. It might be worth getting in touch with them personally, and sharing the URL for this report with them! ­čĹŹ

We have sent a second follow up to the cacti team. We will try again in 10 days. a year ago
A cacti/cacti maintainer validated this vulnerability a year ago
Selim Enes Karaduman has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jimmy Conner marked this as fixed in 1.2.20 with commit 33b894 a year ago
Jimmy Conner has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation