CVE-2014-2708

Description

Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter.

How to fix CVE-2014-2708

To remediate CVE-2014-2708, upgrade the affected package to a fixed version below.

• Debian/cacti—upgrade to 0.8.8b+dfsg-4 or later

Is CVE-2014-2708 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.8.8b+dfsg-4

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-2708