Cacti vulnerable to SQL injection


Cacti is a web application that graphs stored data collected from network devices. Cacti contains a SQL injection vulnerability due to a flaw in processing user input values for 'local_graph_id' in graph.php.

Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

The Cacti Group
  • Cacti 0.8.6e and earlier


Arbitrary SQL queries may be injected in the back-end database by a remote authenticated attacker.

[Update the software]
Update to the latest version according to the information provided by the developer.

According to the developer, this issue was addressed in 0.8.6f released in 2005.
Vendor Information

The Cacti Group
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-0916

  1. JVN : JVN#18957556
  2. National Vulnerability Database (NVD) : CVE-2015-0916
Revision History

  • [2015/05/14]
      Web page was published
      Vendor Information : Content was added
      References : Content was added