CVE-2024-54146

HighPublic PoC

Published: 27 January 2025

Published

27 January 2025

Modified

04 March 2025

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0924 92.7th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.

Security Summary

CVE-2024-54146 is a SQL injection vulnerability (CWE-89) affecting Cacti, an open-source performance and fault management framework. The flaw exists in the template function of the host_templates.php file, where the graph_template parameter is not properly sanitized, enabling injection attacks. Published on January 27, 2025, the vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H) and was addressed in Cacti version 1.2.29.

An attacker with low-privilege access, such as an authenticated user, can exploit this over the network with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality and integrity—potentially exposing or altering some data—but a high availability impact, such as denial-of-service through database disruption.

Mitigation is outlined in the Cacti GitHub security advisory (GHSA-vj9g-p7f2-4wqj) and the associated fix commit (c7e4ee798d263a3209ae6e7ba182c7b65284d8f0), which recommend upgrading to Cacti 1.2.29 or later to patch the SQL injection handling in host_templates.php.

Details

CWE(s): CWE-89

Affected Products

cacti

≤ 1.2.29

References

https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0
Patch · security-advisories@github.com
https://github.com/Cacti/cacti/security/advisories/GHSA-vj9g-p7f2-4wqj
Exploit, Vendor Advisory · security-advisories@github.com