cacti
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Cacti 0.8.7e and earlier versions are affected by multiple security
issues. Issues 1-4 are cross site scripting issues, issue 5 is a
priviledge escalation issue.
Cacti 0.8.7a Multiple Vulnerabilities
Name Multiple Vulnerabilities in Cacti
Systems Affected Cacti 0.8.7a and possibly earlier versions
Severity High
Impact (CVSSv2) High (9/10, vector: AV:N/AC:L/Au:N/C:C/I:P/A:P)
Vendor http://www.cacti.net/
Advisory http://www.ush.it/team/ush/hack-cacti087a/cacti.txt
Author Francesco "ascii" Ongaro (ascii AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Mandriva Linux Security Advisory MDVSA-2010:160
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : August 24, 2010
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Debian Security Advisory DSA-1954-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
December 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2007-3112 CVE-2007-3113 CVE-2009-4032
Debian Bugs : 429224
Cacti Multiple Parameter Cross Site Scripting Vulnerabilities
I. BACKGROUND
---------------------
"Cacti is a complete network graphing solution designed to harness the power
of RRDTool's data storage and graphing functionality. Cacti provides a fast
poller, advanced graph templating, multiple data acquisition methods, and
user management features out of the box." from cacti.net
Debian Security Advisory DSA-1569-2 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 06, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785
Mandriva Linux Security Advisory MDVSA-2010:092
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : May 6, 2010
Affected: Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cacti: Multiple vulnerabilities
Date: March 10, 2008
Bugs: #209918
ID: 200803-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cacti: SQL injection
Date: December 05, 2007
Updated: December 05, 2007
Bugs: #199509
ID: 200712-02:02
Mandriva Linux Security Advisory MDVSA-2010:117
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : June 16, 2010
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Debian Security Advisory DSA-1418-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 02, 2007 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-6035
Debian Bug : 452085
Mandriva Linux Security Advisory MDVSA-2008:052
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : February 27, 2008
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
Debian Security Advisory DSA-1569-3 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
July 15, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785
Debian Security Advisory DSA-1569-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 05, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785
Debian Security Advisory DSA-2039-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
April 23, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : cacti
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
Debian Bug : 578909
Debian Security Advisory DSA-2060-1 security@debian.org
http://www.debian.org/security/ Nico Golde
June 13th, 2010 http://www.debian.org/security/faq
- ---------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitization
Problem type : remote
Debian-specific: no
Debian bug : 582691
CVE ID : CVE-2010-2092
Affected packages:
cacti < 0.8.7b
Multiple security vulnerabilities have been discovered in Cacti's web
interface:
* XSS vulnerabilities
* Path disclosure vulnerabilities
* SQL injection vulnerabilities
Mandriva Linux Security Advisory MDKSA-2007:231
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : November 22, 2007
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDKSA-2007:184
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cacti
Date : September 17, 2007
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/
MOPS-2010-029: CMSQlite c Parameter SQL Injection Vulnerability
http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/
MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability
http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/
Thank you
Stefan Esser
|
