Merge pull request from GHSA-jrxg-8wh8-943x

Cacti · Apr 7, 2024 · 9e87882 · 9e87882
1 parent 96d9a4c
commit 9e87882
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/lib/html_form_template.php b/lib/html_form_template.php
@@ -156,6 +156,18 @@ function draw_nontemplated_fields_graph_item($graph_template_id, $local_graph_id
 
 	if (cacti_sizeof($input_item_list)) {
 		foreach ($input_item_list as $item) {
+			if (!db_column_exists('graph_templates_item', $item['column_name'])) {
+				raise_message_javascript(
+					__('Attempted SQL Injection'),
+					__('There was a SQL Injection attempted on the page'),
+					__('A client attempted to create a SQL Injection into Cacti likely from an external host with the address %s', get_client_addr())
+				);
+
+				cacti_log(sprintf('ERROR: A client attempted to create a SQL Injection into Cacti likely from an external host with the address %s', get_client_addr()), false, 'SECURITY');
+
+				exit;
+			}
+
 			$form_array = array();
 
 			if (!empty($local_graph_id)) {