-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian LTS Advisory DLA-3765-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
March 18, 2024https://wiki.debian.org/LTS
- -
Package: cacti
Version: 1.2.2+ds1-2+deb10u6
CVE ID : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362
CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515
CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086
CVE-2023-49088
Debian Bug : 1059254
Multiple vulnerabilities were found in Cacti, a network monitoring
system. An attacker could manipulate the database, execute code
remotely, launch DoS (denial-of-service) attacks or impersonate Cacti
users, in some situations.
CVE-2023-39357
When the column type is numeric, the sql_save function directly
utilizes user input. Many files and functions calling the sql_save
function do not perform prior validation of user input, leading to
the existence of multiple SQL injection vulnerabilities in
Cacti. This allows authenticated users to exploit these SQL
injection vulnerabilities to perform privilege escalation and
remote code execution.
CVE-2023-39360
Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data. The vulnerability is found in
`graphs_new.php`. Several validations are performed, but the
`returnto` parameter is directly passed to `form_save_button`. In
order to bypass this validation, returnto must contain `host.php`.
CVE-2023-39361
SQL injection discovered in graph_view.php. Since guest users can
access graph_view.php without authentication by default, if guest
users are being utilized in an enabled state, there could be the
potential for significant damage. Attackers may exploit this
vulnerability, and there may be povssibilities for actions such as
the usurpation of administrative privileges or remote code
execution.
CVE-2023-39362
An authenticated privileged user, can use a malicious string in
the SNMP options of a Device, performing command injection and
obtaining remote code execution on the underlying server. The
`lib/snmp.php` file has a set of functions, with similar behavior,
that accept in input some variables and place them into an `exec`
call without a proper escape or validation.
CVE-2023-39364
Users with console access can be redirected to an arbitrary
website after a change password performed via a specifically
crafted URL. The `auth_changepassword.php` file accepts `ref` as a
URL parameter and reflects it in the form used to perform the
change password. It's value is used to perform a redirect via
`header` PHP function. A user can be tricked in performing the
change password operation, e.g., via a phishing message, and then
interacting with the malicious website where the redirection has
been performed, e.g., downloading malwares, providing credentials,
etc.
CVE-2023-39365
Issues with Cacti Regular Expression validation combined with the
external links feature can lead to limited SQL Injections and
subsequent data leakage.
CVE-2023-39513
Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. The script under `host.php` is used to monitor and
manage hosts in the _cacti_ app, hence displays useful information
such as data queries and verbose logs.
CVE-2023-39515
Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data stored in the cacti's
database. These data will be viewed by administrative cacti
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_debug.php` displays data source
related debugging information such as _data source paths, polling
settings, meta-data on the data source.
CVE-2023-39516
Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. These data will be viewed by administrative _cacti_
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_sources.php` displays the data
source management information (e.g. data source path, polling
configuration etc.) for different data visualizations of the
_cacti_ app.
CVE-2023-49084
While using the detected SQL Injection and insufficient processing
of the include file path, it is possible to execute arbitrary code
on the server. Exploitation of the vulnerability is possible for
an authorized
