Cyber Resilience

CVE-2024-31458

MediumPublic PoC

Published: 14 May 2024

Published
14 May 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.0602 90.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31458 is a medium-severity SQL Injection (CWE-89) vulnerability in Cacti Cacti. Its CVSS base score is 4.6 (Medium).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cacti, an operational monitoring and fault management framework, contains a SQL injection vulnerability in versions prior to 1.2.27. The issue stems from insufficient input validation in the form_save() function within graph_template_inputs.php; unsanitized data is concatenated into an SQL statement inside draw_nontemplated_fields_graph_item() in lib/html_form_templates.php, enabling CWE-89 injection.

An authenticated user with low privileges can trigger the flaw by submitting crafted input to the affected graph template functions. Successful exploitation yields limited integrity and availability impact without requiring elevated privileges, though user interaction is needed and confidentiality remains unaffected per the CVSS 4.6 rating.

The GitHub Security Advisory and downstream distributions such as Fedora and Debian LTS recommend upgrading to Cacti 1.2.27, which includes the official patch. The EPSS score has remained flat at 0.0602 with no material increase since disclosure.

EU & UK References

Vulnerability details

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php`…

more

, finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cacti
cacti
≤ 1.2.27
fedoraproject
fedora
39

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References