Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntuUbuntuUSN-6969-1
HistoryAug 20, 2024 - 12:00 a.m.

Cacti vulnerabilities

2024-08-2000:00:00
ubuntu.com
15
cacti
ubuntu lts
arbitrary code execution
sql injection
authentication bypass
cve-2024

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

Low

EPSS

0.003

Percentile

70.5%

JSON

Releases

  • Ubuntu 24.04 LTS
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 ESM
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Packages

  • cacti - web interface for graphing of monitoring systems

Details

It was discovered that Cacti did not properly apply checks to the “Package
Import” feature. An attacker could possibly use this issue to perform
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)

It was discovered that Cacti did not properly sanitize values when using
javascript based API. A remote attacker could possibly use this issue to
inject arbitrary javascript code resulting into cross-site scripting
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)

It was discovered that Cacti did not properly sanitize values when managing
data queries. A remote attacker could possibly use this issue to inject
arbitrary javascript code resulting into cross-site scripting
vulnerability. (CVE-2024-31443)

It was discovered that Cacti did not properly sanitize values when reading
tree rules with Automation API. A remote attacker could possibly use this
issue to inject arbitrary javascript code resulting into cross-site
scripting vulnerability. (CVE-2024-31444)

It was discovered that Cacti did not properly sanitize
“get_request_var(‘filter’)” values in the “api_automation.php” file. A
remote attacker could possibly use this issue to perform SQL injection
attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31445)

It was discovered that Cacti did not properly sanitize data stored in
“form_save()” function in the “graph_template_inputs.php” file. A remote
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2024-31458)

It was discovered that Cacti did not properly validate the file urls from
the lib/plugin.php file. An attacker could possibly use this issue to
perform arbitrary code execution. (CVE-2024-31459)

It was discovered that Cacti did not properly validate the data stored in
the “automation_tree_rules.php”. A remote attacker could possibly use this
issue to perform SQL injection attacks. This issue only affected Ubuntu
24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
(CVE-2024-31460)

It was discovered that Cacti did not properly verify the user password.
An attacker could possibly use this issue to bypass authentication
mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)

OSVersionArchitecturePackageVersionFilename
Ubuntu24.04noarchcacti< 1.2.26+ds1-1ubuntu0.1UNKNOWN
Ubuntu22.04noarchcacti< 1.2.19+ds1-2ubuntu1.1UNKNOWN
Ubuntu20.04noarchcacti< 1.2.10+ds1-1ubuntu1.1UNKNOWN
Ubuntu18.04noarchcacti< 1.1.38+ds1-1ubuntu0.1~esm3UNKNOWN
Ubuntu18.04noarchcacti< 1.1.38+ds1-1UNKNOWN
Ubuntu16.04noarchcacti< 0.8.8f+ds1-4ubuntu4.16.04.2+esm2UNKNOWN
Ubuntu16.04noarchcacti< 0.8.8f+ds1-4ubuntu4.16.04.2UNKNOWN
Ubuntu14.04noarchcacti< 0.8.8b+dfsg-5ubuntu0.2+esm2UNKNOWN
Ubuntu14.04noarchcacti< 0.8.8b+dfsg-5ubuntu0.2UNKNOWN

Related

osv 17
nessus 5
openvas 4
fedora 2
thn 1
vulnrichment 10
veracode 2
cvelist 10
nvd 10
cve 10
debiancve 9
alpinelinux 9
ubuntucve 9
github 1
zdt 2
githubexploit 4
metasploit 1
packetstorm 2
rapid7blog 1
osv
osv
cacti vulnerabilities
2024-08-20 11:14:34
Security update for cacti, cacti-spine
2024-09-02 08:09:11
cacti-1.2.27-1.1 on GA media
2024-06-15 00:00:00
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Cacti vulnerabilities (USN-6969-1)
2024-08-21 00:00:00
openSUSE 15 Security Update : cacti, cacti-spine (openSUSE-SU-2024:0276-1)
2024-09-03 00:00:00
openSUSE 15 Security Update : cacti, cacti-spine (openSUSE-SU-2024:0274-1)
2024-09-03 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6969-1)
2024-08-21 00:00:00
Debian: Security Advisory (DLA-3884-1)
2024-09-10 00:00:00
Fedora: Security Advisory (FEDORA-2024-27a594f71d)
2024-06-07 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: cacti-spine-1.2.27-1.fc39
2024-05-31 02:14:04
[SECURITY] Fedora 39 Update: cacti-1.2.27-1.fc39
2024-05-31 02:14:03
thn
thn
Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code
2024-05-14 11:17:00
vulnrichment
vulnrichment
CVE-2024-34360 Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
2024-05-10 15:50:05
CVE-2024-31443 Cacti XSS vulnerability in lib/html_tree.php by reading dirty data stored in database
2024-05-13 15:01:44
CVE-2024-31445 SQL Injection vulnerability in automation_get_new_graphs_sql
2024-05-13 15:05:56
veracode
veracode
Improper Check For Unusual Or Exceptional Conditions
2024-05-13 10:15:18
Cross-Site Scripting
2024-05-20 02:38:48
cvelist
cvelist
CVE-2024-34360 Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
2024-05-10 15:50:05
CVE-2024-31445 SQL Injection vulnerability in automation_get_new_graphs_sql
2024-05-13 15:05:56
CVE-2024-31444 Cacti XSS vulnerability in lib/html.php by reading dirty data stored in database
2024-05-13 15:03:58
nvd
nvd
CVE-2024-34360
2024-05-14 15:38:45
CVE-2024-31443
2024-05-14 15:25:20
CVE-2024-31444
2024-05-14 15:25:20
cve
cve
CVE-2024-34360
2024-05-14 15:38:45
CVE-2024-31444
2024-05-14 15:25:20
CVE-2024-34340
2024-05-14 15:38:39
debiancve
debiancve
CVE-2024-31445
2024-05-14 15:25:21
CVE-2024-31458
2024-05-14 15:25:25
CVE-2024-31443
2024-05-14 15:25:20
alpinelinux
alpinelinux
CVE-2024-31443
2024-05-14 15:25:20
CVE-2024-31444
2024-05-14 15:25:20
CVE-2024-34340
2024-05-14 15:38:39
ubuntucve
ubuntucve
CVE-2024-31443
2024-05-14 00:00:00
CVE-2024-31444
2024-05-14 00:00:00
CVE-2024-31458
2024-05-14 00:00:00
github
github
Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
2024-05-10 15:33:40
zdt
zdt
Cacti Import Packages Remote Code Execution Exploit
2024-06-13 00:00:00
Cacti 1.2.26 Remote Code Execution Vulnerability
2024-05-15 00:00:00
githubexploit
githubexploit
Exploit for CVE-2024-25641
2024-08-29 06:27:25
Exploit for CVE-2024-25641
2024-08-27 01:19:25
Exploit for CVE-2024-25641
2024-08-27 16:41:39
metasploit
metasploit
Cacti Import Packages RCE
2024-05-22 15:38:53
packetstorm
packetstorm
Cacti Import Packages Remote Code Execution
2024-06-13 00:00:00
Cacti 1.2.26 Remote Code Execution
2024-05-15 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up 06/14/2024
2024-06-14 19:09:16

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

Low

EPSS

0.003

Percentile

70.5%

JSON
Related for USN-6969-1
osv17nessus5openvas4fedora2thn1vulnrichment10veracode2cvelist10nvd10cve10debiancve9alpinelinux9ubuntucve9github1zdt2githubexploit4metasploit1packetstorm2rapid7blog1