CVE-2023-39365 MEDIUM

CVE-2023-39365: Unchecked regular expressions can lead to SQL Injection and data leakage in Cacti

Vendor Cacti

Product cacti

Weakness CWE-89 · SQLi

Published September 5, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 5, 2023 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-39365

Related vulnerabilities

04Related CVE

CVE-2025-14566 kidaze CourseSelectionSystem reg.php sql injection CVE-2024-12032 Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection CVE-2024-7190 itsourcecode Society Management System get_price.php sql injection CVE-2025-1134 SQL Injection in ChurchCRM CurrentFundraiser Parameter via DonatedItemEditor.php CVE-2023-1211 SQL Injection in phpipam/phpipam