status_rrd_graph_img.php: Lack of validation on "graph" variable can lead to shell exec
The graph parameter on status_rrd_graph_img.php is somewhat sanitized but still allows the pipe character, which can be used to craft a command that will be executed.
Easiest demo is with some bunk data such as:
And then look in the system log for "foo".
Happens on 2.2.x and 2.3. I have a fix in mind, will push it once it's tested on both 2.2.x and 2.3.
Make RRD lists global, validate graph name using whitelist of known values rather than blacklist of characters, beef up validation and escaping of related values while here. Fixes #5874 for 2.2.x