Bugzilla – Bug 1215024
VUL-0: cacti: multiple security issues fixed in 1.2.25
Last modified: 2023-09-06 20:36:11 UTC
From https://github.com/Cacti/cacti/blob/release/1.2.25/CHANGELOG -security#GHSA-77rf-774j-6h3p: Protect against Insecure deserialization of filter data -security#GHSA-gx8c-xvjh-9qh4: Protect against Cross-Site Scripting vulnerability when creating new graphs -security#GHSA-6r43-q2fw-5wrg: Protect against Unauthenticated SQL Injection when viewing graphs -security#GHSA-6jhp-mgqg-fhqg: Protect against SQL Injection when saving data with sql_save() -security#GHSA-g6ff-58cj-x3cp: Protect against Authenticated command injection when using SNMP options -security#GHSA-q4wh-3f9w-836h: Protect against Authenticated SQL injection vulnerability when managing graphs -security#GHSA-gj95-7xr8-9p7g: Protect against Authenticated SQL injection vulnerability when managing reports -security#GHSA-v5w7-hww7-2f22: Protect against SQL Injection when using regular expressions -security#GHSA-4pjv-rmrp-r59x: Protect against Open redirect in change password functionality -security#GHSA-rwhh-xxm6-vcrv: Protect against Cross-Site Scripting vulnerability with Device Name when managing Data Sources -security#GHSA-24w4-4hp2-3j8h: Protect against Cross-Site Scripting vulnerability with Device Name when administrating Reports -security#GHSA-5hpr-4hhc-8q42: Protect against Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports -security#GHSA-vqcc-5v63-g9q7: Protect against Cross-Site Scripting vulnerability with Device Name when managing Data Sources -security#GHSA-9fj7-8f2j-2rw2: Protect against Cross-Site Scripting vulnerability with Device Name when debugging data queries -security#GHSA-6hrc-2cfc-8hm7: Protect against Cross-Site Scripting vulnerability with Data Source Name when managing Graphs -security#GHSA-hrg9-qqqx-wc4h: Protect against Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries -security#GHSA-r8qq-88g3-hmgv: Protect against Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h https://github.com/Cacti/cacti/security/advisories/GHSA-gj95-7xr8-9p7g https://github.com/Cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22 https://github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59x https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h https://github.com/Cacti/cacti/security/advisories/GHSA-5hpr-4hhc-8q42 https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7 https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2 https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7 https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h https://github.com/Cacti/cacti/security/advisories/GHSA-r8qq-88g3-hmgv Does not seem to include bug 1214170 / CVE-2023-3754
submitted
CVE-2023-30534 CVE-2023-39360 CVE-2023-39361 CVE-2023-39357 CVE-2023-39362 CVE-2023-39359 CVE-2023-39358 CVE-2023-39365 CVE-2023-39364 CVE-2023-39366 CVE-2023-39510 CVE-2023-39512 CVE-2023-39513 CVE-2023-39514 CVE-2023-39515 CVE-2023-39516
This is an autogenerated message for OBS integration: This bug (1215024) was mentioned in https://build.opensuse.org/request/show/1109188 Factory / cacti https://build.opensuse.org/request/show/1109189 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Resolving in favor of individual bugs
* CVE-2023-30534: Protect against Insecure deserialization of filter data (boo#1215082) * CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs (boo#1215044) * CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs (boo#1215045) * CVE-2023-39357: SQL Injection when saving data with sql_save() (boo#1215040) * CVE-2023-39362: Authenticated command injection when using SNMP options (boo#1215047) * CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs (boo#1215043) * CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports (boo#1215042) * CVE-2023-39365: SQL Injection when using regular expressions (boo#1215051) * CVE-2023-39364: redirect in change password functionality (boo#1215050) * CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215052) * CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when administrating Reports (boo#1215053) * CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports (boo#1215081) * CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215054) * CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when debugging data queries (boo#1215055) * CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name when managing Graphs (boo#1215056) * CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries (boo#1215058) * CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources (boo#1215059)