[SECURITY] [DLA 255-1] cacti security update

2015-06-2711:09:41

lists.debian.org

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.7%

JSON

Package : cacti
Version : 0.8.7g-1+squeeze6
CVE ID : CVE-2015-2665 CVE-2015-4342 CVE-2015-4454

Several vulnerabilities (cross-site scripting and SQL injection) have
been discovered in Cacti, a web interface for graphing of monitoring
systems.

We recommend that you upgrade your cacti packages.

CVE-2015-2665

 Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d
 allows remote attackers to inject arbitrary web script or HTML via
 unspecified vectors.

CVE-2015-4342

 SQL Injection and Location header injection from cdef id

CVE-2015-4454

SQL injection vulnerability in the get_hash_graph_template function
in lib/functions.php in Cacti before 0.8.8d allows remote attackers
to execute arbitrary SQL commands via the graph_template_id
parameter to graph_templates.php

Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540

SQL injection vulnerability in the settings page

OSVersionArchitecturePackageVersionFilename
Debian8allcacti< 0.8.8b+dfsg-8+deb8u1cacti_0.8.8b+dfsg-8+deb8u1_all.deb
Debian7allcacti< 0.8.8a+dfsg-5+deb7u5cacti_0.8.8a+dfsg-5+deb7u5_all.deb
Debian6allcacti< 0.8.7g-1+squeeze6cacti_0.8.7g-1+squeeze6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	cacti	< 0.8.8b+dfsg-8+deb8u1	cacti_0.8.8b+dfsg-8+deb8u1_all.deb
Debian	7	all	cacti	< 0.8.8a+dfsg-5+deb7u5	cacti_0.8.8a+dfsg-5+deb7u5_all.deb
Debian	6	all	cacti	< 0.8.7g-1+squeeze6	cacti_0.8.7g-1+squeeze6_all.deb