{"api_version":"1","generated_at":"2026-04-23T00:39:43+00:00","cve":"CVE-2020-14295","urls":{"html":"https://cve.report/CVE-2020-14295","api":"https://cve.report/api/cve/CVE-2020-14295.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-14295","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-14295"},"summary":{"title":"CVE-2020-14295","description":"A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-06-17 14:15:00","updated_at":"2023-11-07 03:17:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"Cacti 1.2.12 SQL Injection / Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html","name":"openSUSE-SU-2020:1106","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1106-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html","name":"openSUSE-SU-2020:1060","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1060-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/Cacti/cacti/issues/3622","name":"https://github.com/Cacti/cacti/issues/3622","refsource":"MISC","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202007-03","name":"GLSA-202007-03","refsource":"GENTOO","tags":[],"title":"Cacti: Multiple vulnerabilities (GLSA 202007-03) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/","name":"FEDORA-2020-8a15713da2","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: cacti-1.2.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/","name":"FEDORA-2020-7dddce530c","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: cacti-spine-1.2.13-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/","name":"FEDORA-2020-7dddce530c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: cacti-spine-1.2.13-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html","name":"http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html","refsource":"MISC","tags":[],"title":"Cacti 1.2.12 SQL Injection / Remote Command Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/","name":"FEDORA-2020-8a15713da2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: cacti-1.2.13-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-14295","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14295","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"14295","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cacti","cpe5":"cacti","cpe6":"1.2.12","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14295","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cacti","cpe5":"cacti","cpe6":"1.2.12","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14295","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14295","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-14295","qid":"501529","title":"Alpine Linux Security Update for cacti"},{"cve":"CVE-2020-14295","qid":"504593","title":"Alpine Linux Security Update for cacti"},{"cve":"CVE-2020-14295","qid":"690483","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for cacti (cd2dc126-cfe4-11ea-9172-4c72b94353b5)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-14295","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/Cacti/cacti/issues/3622","refsource":"MISC","name":"https://github.com/Cacti/cacti/issues/3622"},{"refsource":"FEDORA","name":"FEDORA-2020-8a15713da2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKM5G3YNSZDHDZMPCMAHG5B5M2V4XYSE/"},{"refsource":"FEDORA","name":"FEDORA-2020-7dddce530c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W64CIB6L4HZRVQSWKPDDKXJO4J2XTOXD/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1060","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"},{"refsource":"GENTOO","name":"GLSA-202007-03","url":"https://security.gentoo.org/glsa/202007-03"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1106","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/162384/Cacti-1.2.12-SQL-Injection-Remote-Code-Execution.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html","url":"http://packetstormsecurity.com/files/162918/Cacti-1.2.12-SQL-Injection-Remote-Command-Execution.html"}]}},"nvd":{"publishedDate":"2020-06-17 14:15:00","lastModifiedDate":"2023-11-07 03:17:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cacti:cacti:1.2.12:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"14295","Ordinal":"175525","Title":"CVE-2020-14295","CVE":"CVE-2020-14295","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"14295","Ordinal":"1","NoteData":"A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"14295","Ordinal":"2","NoteData":"2020-06-17","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"14295","Ordinal":"3","NoteData":"2021-06-02","Type":"Other","Title":"Modified"}]}}}