Updated cacti package fixes security vulnerability
Publication date: 10 Aug 2015Modification date: 10 Aug 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-2665 , CVE-2015-4342 , CVE-2015-4454 , CVE-2015-4634
Description
Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2015-2665). SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id (CVE-2015-4342). SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php (CVE-2015-4454). SQL injection vulnerability in Cacti before 0.8.8e in graphs.php (CVE-2015-4634). The cacti package has been updated to version 0.8.8e, which fixes this issue, as well as other SQL injection and XSS issues and other bugs
References
- https://bugs.mageia.org/show_bug.cgi?id=16202
- https://www.debian.org/security/2015/dsa-3295
- http://www.cacti.net/release_notes_0_8_8d.php
- http://www.cacti.net/release_notes_0_8_8e.php
- http://www.cacti.net/release_notes_0_8_8f.php
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634
SRPMS
5/core
- cacti-0.8.8f-1.mga5
4/core
- cacti-0.8.8f-1.mga4