CVE-2024-31445

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published May 14, 2024
CWE ID 89

Summary

CVE-2024-31445 is a SQL injection vulnerability in Cacti, specifically in the `automation_get_new_graphs_sql` function of `api_automation.php` prior to version 1.2.27. This vulnerability allows authenticated users to exploit SQL injection vulnerabilities for privilege escalation and remote code execution. The issue arises from the concatenation of the `get_request_var('filter')` into the SQL statement without any sanitization. The filter for `'filter'` is set to `'FILTER_DEFAULT'`, which means there is no filter for it. However, version 1.2.27 contains a patch for this vulnerability. The vulnerability has a risk score of 68, with a base severity of HIGH and a base score of 8.8 according to the CVSS:3.1 vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It poses a potential danger to organizations as it allows attackers to execute arbitrary code and gain unauthorized access through SQL injections.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-31445 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options