Advisories ยป MGASA-2017-0267

Updated cacti packages fix security vulnerabilities

Publication date: 13 Aug 2017
Modification date: 13 Aug 2017
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-10970 , CVE-2017-11163 , CVE-2017-11691 , CVE-2017-12065 , CVE-2017-12066

Description

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12
allows remote anonymous users to inject arbitrary web script or HTML
via the id parameter, related to the die_html_input_error function in
lib/html_validate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in
Cacti 1.1.12 allows remote authenticated users to inject arbitrary web
script or HTML via specially crafted HTTP Referer headers, related to
the $cancel_url variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in
the user profile managment page (auth_profile.php), allowing inject
arbitrary web script or HTML via specially crafted HTTP Referer headers
(CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to
execute arbitrary code via the avgnan, outlier-start, or outlier-end
parameter (CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in
Cacti before 1.1.16 allows remote authenticated users to inject
arbitrary web script or HTML via specially crafted HTTP Referer headers,
related to the $cancel_url variable (CVE-2017-12066).

References

SRPMS

6/core