SQL Injection in cacti/cacti


Reported on

Nov 13th 2021


SQL Injection vulnerability occurs because the input taken from parameters is not sanitized for SQL Injection statement in user_admin.php

user_admin.php:84 update_policies() function contains sql injection vulnerability

get_nfilter_request_var() function takes get/post parameter without sanitizing, so an attacker is able to inject arbitrary data into SQL query


This vulnerability is capable of injection SQL queries

We are processing your report and will contact the cacti team within 24 hours. 2 months ago
Selim Enes Karaduman modified their report
2 months ago
We have contacted a member of the cacti team and are waiting to hear back 2 months ago
We have sent a follow up to the cacti team. We will try again in 7 days. 2 months ago
2 months ago


@admin is it normal to take that much time for author to response?

Jamie Slome
2 months ago


We have sent two e-mails out to the maintainer and are yet to hear back from them. It might be worth getting in touch with them personally, and sharing the URL for this report with them! ­čĹŹ

We have sent a second follow up to the cacti team. We will try again in 10 days. 2 months ago
A cacti/cacti maintainer validated this vulnerability 2 months ago
Selim Enes Karaduman has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jimmy Conner confirmed that a fix has been merged on 33b894 2 months ago
Jimmy Conner has been awarded the fix bounty