CVE-2023-39361

Name	CVE-2023-39361
Description	Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3765-1, DSA-5550-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cacti (PTS)	buster	1.2.2+ds1-2+deb10u4	vulnerable
	buster (security)	1.2.2+ds1-2+deb10u6	fixed
	bullseye	1.2.16+ds1-2+deb11u2	fixed
	bullseye (security)	1.2.16+ds1-2+deb11u3	fixed
	bookworm	1.2.24+ds1-1+deb12u1	fixed
	bookworm (security)	1.2.24+ds1-1+deb12u2	fixed
	sid, trixie	1.2.26+ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
cacti	source	buster	1.2.2+ds1-2+deb10u6	DLA-3765-1
cacti	source	bullseye	1.2.16+ds1-2+deb11u2	DSA-5550-1
cacti	source	bookworm	1.2.24+ds1-1+deb12u1	DSA-5550-1
cacti	source	(unstable)	1.2.25+ds1-1

Notes

https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25)
Introduced by: https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 (release/1.2.17)
but the patch still fixes multiple similar issues including one present in earlier versions.
Additional hardening with CVE-2023-39365.