Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-255-1 cacti

Debian Security Advisory

DLA-255-1 cacti -- LTS security update

Date Reported:

27 Jun 2015

Affected Packages:

cacti

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-2665, CVE-2015-4342, CVE-2015-4454.

More information:

Several vulnerabilities (cross-site scripting and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.

We recommend that you upgrade your cacti packages.

• CVE-2015-2665

  Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-4342

  SQL Injection and Location header injection from cdef id

• CVE-2015-4454

  SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php

• Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540

  SQL injection vulnerability in the settings page