Security update for cacti, cacti-spine
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2017:2087-1
Final
1
1
2017-08-07T20:16:05Z
current
2017-08-07T20:16:05Z
2017-08-07T20:16:05Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for cacti, cacti-spine
This update for cacti, cacti-spine fixes the following issues:
- CVE-2017-12065: Possible code execution via avgnan, outlier-start, or outlier-end parameter (bsc#1051633)
- CVE-2017-11691: XSS in auth_profile.php allows remote attackers to inject arbitrary JS via specially
crafted HTTP Referer headers (bsc#1050950)
- CVE-2017-10970: XSS Issue in link.php bsc#1047512
- CVE-2017-11163: XSS Issue in lib/html_form.php bsc#1048102
In addition, cacti and cacti-spine were updated to the current stable release 1.1.16,
containing all upstream improvements and bugfixes.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
E-Mail link for openSUSE-SU-2017:2087-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.2
openSUSE Leap 42.3
cacti-1.1.16-19.1
cacti-doc-1.1.16-19.1
cacti-spine-1.1.16-10.1
cacti-1.1.16-19.1 as a component of openSUSE Leap 42.2
cacti-doc-1.1.16-19.1 as a component of openSUSE Leap 42.2
cacti-spine-1.1.16-10.1 as a component of openSUSE Leap 42.2
cacti-1.1.16-19.1 as a component of openSUSE Leap 42.3
cacti-doc-1.1.16-19.1 as a component of openSUSE Leap 42.3
cacti-spine-1.1.16-10.1 as a component of openSUSE Leap 42.3
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.
CVE-2017-10970
openSUSE Leap 42.2:cacti-1.1.16-19.1
openSUSE Leap 42.2:cacti-doc-1.1.16-19.1
openSUSE Leap 42.2:cacti-spine-1.1.16-10.1
openSUSE Leap 42.3:cacti-1.1.16-19.1
openSUSE Leap 42.3:cacti-doc-1.1.16-19.1
openSUSE Leap 42.3:cacti-spine-1.1.16-10.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://www.suse.com/security/cve/CVE-2017-10970.html
CVE-2017-10970
https://bugzilla.suse.com/1047512
SUSE Bug 1047512
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
CVE-2017-11163
openSUSE Leap 42.2:cacti-1.1.16-19.1
openSUSE Leap 42.2:cacti-doc-1.1.16-19.1
openSUSE Leap 42.2:cacti-spine-1.1.16-10.1
openSUSE Leap 42.3:cacti-1.1.16-19.1
openSUSE Leap 42.3:cacti-doc-1.1.16-19.1
openSUSE Leap 42.3:cacti-spine-1.1.16-10.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://www.suse.com/security/cve/CVE-2017-11163.html
CVE-2017-11163
https://bugzilla.suse.com/1048102
SUSE Bug 1048102
https://bugzilla.suse.com/1051633
SUSE Bug 1051633
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
CVE-2017-11691
openSUSE Leap 42.2:cacti-1.1.16-19.1
openSUSE Leap 42.2:cacti-doc-1.1.16-19.1
openSUSE Leap 42.2:cacti-spine-1.1.16-10.1
openSUSE Leap 42.3:cacti-1.1.16-19.1
openSUSE Leap 42.3:cacti-doc-1.1.16-19.1
openSUSE Leap 42.3:cacti-spine-1.1.16-10.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://www.suse.com/security/cve/CVE-2017-11691.html
CVE-2017-11691
https://bugzilla.suse.com/1050950
SUSE Bug 1050950
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
CVE-2017-12065
openSUSE Leap 42.2:cacti-1.1.16-19.1
openSUSE Leap 42.2:cacti-doc-1.1.16-19.1
openSUSE Leap 42.2:cacti-spine-1.1.16-10.1
openSUSE Leap 42.3:cacti-1.1.16-19.1
openSUSE Leap 42.3:cacti-doc-1.1.16-19.1
openSUSE Leap 42.3:cacti-spine-1.1.16-10.1
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
https://www.suse.com/security/cve/CVE-2017-12065.html
CVE-2017-12065
https://bugzilla.suse.com/1051633
SUSE Bug 1051633