Bug 1216692 (CVE-2023-46490) - VUL-0: CVE-2023-46490: cacti: SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.
Summary: VUL-0: CVE-2023-46490: cacti: SQL Injection vulnerability in Cacti v1.2.25 al...
Status: RESOLVED WONTFIX
Alias: CVE-2023-46490
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/383387/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-30 08:12 UTC by SMASH SMASH
Modified: 2024-01-24 17:27 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-30 08:12:50 UTC 
SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain
sensitive information via the form_actions() function in the managers.php
function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46490
Comment 1 Thomas Leroy 2023-10-30 08:18:45 UTC 
SQLi requiring admin access afaiu.

openSUSE:Factory and openSUSE:Backports:SLE-15-SP{4,5}:Update affected.
Comment 2 Andreas Stieger 2023-10-30 15:59:11 UTC 
gist: https://gist.github.com/ISHGARD-2/a95632111138fcd7ccf7432ccb145b53
Report linked: https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c is not accessible.
In GHSA this is https://github.com/advisories/GHSA-6xmf-7cqj-2h8m, not reviewed.

Reported noted that this is timing based...   "Although there is no echo,by measuring the time delay of accessing the website, authenticated users can obtain mysql database content."

User has no significant history
Comment 3 Andreas Stieger 2024-01-24 17:27:21 UTC 
bogus issue