Source: cacti X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for cacti. CVE-2023-49084[0]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). While using the | detected SQL Injection and insufficient processing of the include | file path, it is possible to execute arbitrary code on the server. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `link.php`. Impact of the | vulnerability execution of arbitrary code on the server. https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49086[1]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). Bypassing an | earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `graphs_new.php`. Impact of | the vulnerability - execution of arbitrary javascript code in the | attacked user's browser. This issue has been patched in version | 1.2.26. https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr I think https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc should address both, but please doublecheck. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49084 https://www.cve.org/CVERecord?id=CVE-2023-49084 [1] https://security-tracker.debian.org/tracker/CVE-2023-49086 https://www.cve.org/CVERecord?id=CVE-2023-49086 Please adjust the affected versions in the BTS as needed.