cacti-0.8.8h-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10084 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cacti-0.8.8h-1.2 on GA media These are all security issues fixed in the cacti-0.8.8h-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10084 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10084 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-5588/ SUSE CVE CVE-2013-5588 page https://www.suse.com/security/cve/CVE-2013-5589/ SUSE CVE CVE-2013-5589 page https://www.suse.com/security/cve/CVE-2014-2326/ SUSE CVE CVE-2014-2326 page https://www.suse.com/security/cve/CVE-2014-2327/ SUSE CVE CVE-2014-2327 page https://www.suse.com/security/cve/CVE-2014-2328/ SUSE CVE CVE-2014-2328 page https://www.suse.com/security/cve/CVE-2014-2708/ SUSE CVE CVE-2014-2708 page https://www.suse.com/security/cve/CVE-2014-2709/ SUSE CVE CVE-2014-2709 page https://www.suse.com/security/cve/CVE-2014-4002/ SUSE CVE CVE-2014-4002 page https://www.suse.com/security/cve/CVE-2014-5025/ SUSE CVE CVE-2014-5025 page https://www.suse.com/security/cve/CVE-2014-5026/ SUSE CVE CVE-2014-5026 page https://www.suse.com/security/cve/CVE-2015-4342/ SUSE CVE CVE-2015-4342 page https://www.suse.com/security/cve/CVE-2015-4634/ SUSE CVE CVE-2015-4634 page https://www.suse.com/security/cve/CVE-2015-8369/ SUSE CVE CVE-2015-8369 page https://www.suse.com/security/cve/CVE-2015-8377/ SUSE CVE CVE-2015-8377 page https://www.suse.com/security/cve/CVE-2015-8604/ SUSE CVE CVE-2015-8604 page https://www.suse.com/security/cve/CVE-2016-2313/ SUSE CVE CVE-2016-2313 page https://www.suse.com/security/cve/CVE-2016-3172/ SUSE CVE CVE-2016-3172 page https://www.suse.com/security/cve/CVE-2016-3659/ SUSE CVE CVE-2016-3659 page openSUSE Tumbleweed cacti-0.8.8h-1.2 cacti-doc-0.8.8h-1.2 cacti-0.8.8h-1.2 as a component of openSUSE Tumbleweed cacti-doc-0.8.8h-1.2 as a component of openSUSE Tumbleweed Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php. CVE-2013-5588 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5588.html CVE-2013-5588 https://bugzilla.suse.com/837440 SUSE Bug 837440 https://bugzilla.suse.com/920399 SUSE Bug 920399 SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. CVE-2013-5589 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5589.html CVE-2013-5589 https://bugzilla.suse.com/837440 SUSE Bug 837440 https://bugzilla.suse.com/920399 SUSE Bug 920399 Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2014-2326 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2326.html CVE-2014-2326 https://bugzilla.suse.com/870821 SUSE Bug 870821 https://bugzilla.suse.com/920399 SUSE Bug 920399 Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. CVE-2014-2327 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2327.html CVE-2014-2327 https://bugzilla.suse.com/920399 SUSE Bug 920399 lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. CVE-2014-2328 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2328.html CVE-2014-2328 https://bugzilla.suse.com/920399 SUSE Bug 920399 Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter. CVE-2014-2708 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2708.html CVE-2014-2708 https://bugzilla.suse.com/872008 SUSE Bug 872008 lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. CVE-2014-2709 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2709.html CVE-2014-2709 https://bugzilla.suse.com/872008 SUSE Bug 872008 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. CVE-2014-4002 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4002.html CVE-2014-4002 https://bugzilla.suse.com/884326 SUSE Bug 884326 https://bugzilla.suse.com/920399 SUSE Bug 920399 Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. CVE-2014-5025 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-5025.html CVE-2014-5025 https://bugzilla.suse.com/888686 SUSE Bug 888686 https://bugzilla.suse.com/920399 SUSE Bug 920399 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. CVE-2014-5026 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-5026.html CVE-2014-5026 https://bugzilla.suse.com/888686 SUSE Bug 888686 https://bugzilla.suse.com/920399 SUSE Bug 920399 SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. CVE-2015-4342 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-4342.html CVE-2015-4342 https://bugzilla.suse.com/934187 SUSE Bug 934187 https://bugzilla.suse.com/935199 SUSE Bug 935199 SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. CVE-2015-4634 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-4634.html CVE-2015-4634 https://bugzilla.suse.com/937997 SUSE Bug 937997 SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php. CVE-2015-8369 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8369.html CVE-2015-8369 https://bugzilla.suse.com/958863 SUSE Bug 958863 https://bugzilla.suse.com/958977 SUSE Bug 958977 https://bugzilla.suse.com/960678 SUSE Bug 960678 SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. CVE-2015-8377 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8377.html CVE-2015-8377 https://bugzilla.suse.com/958863 SUSE Bug 958863 https://bugzilla.suse.com/958977 SUSE Bug 958977 https://bugzilla.suse.com/960678 SUSE Bug 960678 SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action. CVE-2015-8604 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8604.html CVE-2015-8604 https://bugzilla.suse.com/960678 SUSE Bug 960678 auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. CVE-2016-2313 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2313.html CVE-2016-2313 https://bugzilla.suse.com/1022564 SUSE Bug 1022564 https://bugzilla.suse.com/1069693 SUSE Bug 1069693 https://bugzilla.suse.com/965930 SUSE Bug 965930 SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. CVE-2016-3172 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3172.html CVE-2016-3172 https://bugzilla.suse.com/971357 SUSE Bug 971357 https://bugzilla.suse.com/974013 SUSE Bug 974013 SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter. CVE-2016-3659 openSUSE Tumbleweed:cacti-0.8.8h-1.2 openSUSE Tumbleweed:cacti-doc-0.8.8h-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3659.html CVE-2016-3659 https://bugzilla.suse.com/974013 SUSE Bug 974013