-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3765-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler March 18, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : cacti Version : 1.2.2+ds1-2+deb10u6 CVE ID : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515 CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 CVE-2023-49088 Debian Bug : 1059254 Multiple vulnerabilities were found in Cacti, a network monitoring system. An attacker could manipulate the database, execute code remotely, launch DoS (denial-of-service) attacks or impersonate Cacti users, in some situations. CVE-2023-39357 When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validation of user input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. CVE-2023-39360 Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`. CVE-2023-39361 SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be povssibilities for actions such as the usurpation of administrative privileges or remote code execution. CVE-2023-39362 An authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. CVE-2023-39364 Users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via `header` PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. CVE-2023-39365 Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. CVE-2023-39513 Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. The script under `host.php` is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries and verbose logs. CVE-2023-39515 Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_debug.php` displays data source related debugging information such as _data source paths, polling settings, meta-data on the data source. CVE-2023-39516 Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CVE-2023-49084 While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. CVE-2023-49085 It is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. CVE-2023-49086 Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. CVE-2023-49088 The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. For Debian 10 buster, these problems have been fixed in version 1.2.2+ds1-2+deb10u6. We recommend that you upgrade your cacti packages. For the detailed security status of cacti please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cacti Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmX4gD8ACgkQDTl9HeUl XjBYcxAAmAYZrVh2A/WqKiYrOmjuBfrzZYoTsvHQ5vkFopsGmYxOX6UtiH2O0uCk ECaq6eBEwUwkLz1DB8JP0CRoVGsRcs7aN9x0JUno+55/WfJ6BnxsBp7/0x/18IRx FxbIrD4ndx2HhiU1KDzmsFNYo1usvY2AuoBU7HrWxmKculgb9Y1al4/K9PU2TKLY D/J0jf1EAYQC8ieEd0bB4RocIbKUfgS/9Mzv+9zBZ0snpmnv+l1YmWTUbcI0lGsu F8lw8Ap4AqE0SaPyj3PgkOAXAslcjQGTj2ZNbdL/8O38rJvyrA4KSnsvPOa2aJDH 3MHdYb6PyaCzuL7Yrp5hhAfQ41GDV1OomRAm7b9VZlDAu7nk2VGLG8hnCbVfZtay +H7pPoONw3JMGL56ePNf1URjJgT3vwvseIL772BLnRVUpLM1NW+O0fTbxWf/uKbq y51602YnA6jUByCqVrh1xRrx+gYR6QcS1ygcEkkA5qEFo/U2YorZn5JlSpZBPVM9 4fyPS2SKv/c+Dzq1Y+6dsihg55mVyB4cErn7HXPXhsExvkXE0fPXXlj86qvMX1Hd xsAg5oCvBrIvPgYE7SGOKYfyhxihbkyWMLisXZBRWeW68CgQnOgV3GxpCl9IJIP4 CbhlOcW/+kXPU2aTEcVKf+8Wx/13ZG2C1kBjiQVdgtWxmRXXTIY= =3CrP -----END PGP SIGNATURE-----