Advisories ยป MGASA-2015-0306

Updated cacti package fixes security vulnerability

Publication date: 10 Aug 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-2665 , CVE-2015-4342 , CVE-2015-4454 , CVE-2015-4634

Description

Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows
remote attackers to inject arbitrary web script or HTML via unspecified
vectors (CVE-2015-2665).

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers
to execute arbitrary SQL commands via unspecified vectors involving a cdef
id (CVE-2015-4342).

SQL injection vulnerability in the get_hash_graph_template function in
lib/functions.php in Cacti before 0.8.8d allows remote attackers to
execute arbitrary SQL commands via the graph_template_id parameter to
graph_templates.php (CVE-2015-4454).

SQL injection vulnerability in Cacti before 0.8.8e in graphs.php
(CVE-2015-4634).

The cacti package has been updated to version 0.8.8e, which fixes this
issue, as well as other SQL injection and XSS issues and other bugs
                

References

SRPMS

4/core

5/core