cacti-1.2.26-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13533 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cacti-1.2.26-1.1 on GA media These are all security issues fixed in the cacti-1.2.26-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13533 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13533 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-49084/ SUSE CVE CVE-2023-49084 page https://www.suse.com/security/cve/CVE-2023-49085/ SUSE CVE CVE-2023-49085 page https://www.suse.com/security/cve/CVE-2023-49086/ SUSE CVE CVE-2023-49086 page https://www.suse.com/security/cve/CVE-2023-49088/ SUSE CVE CVE-2023-49088 page https://www.suse.com/security/cve/CVE-2023-50250/ SUSE CVE CVE-2023-50250 page https://www.suse.com/security/cve/CVE-2023-51448/ SUSE CVE CVE-2023-51448 page openSUSE Tumbleweed cacti-1.2.26-1.1 cacti-1.2.26-1.1 as a component of openSUSE Tumbleweed Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server. CVE-2023-49084 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-49084.html CVE-2023-49084 https://bugzilla.suse.com/1218360 SUSE Bug 1218360 Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist. CVE-2023-49085 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-49085.html CVE-2023-49085 https://bugzilla.suse.com/1218378 SUSE Bug 1218378 Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27. CVE-2023-49086 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-49086.html CVE-2023-49086 https://bugzilla.suse.com/1218366 SUSE Bug 1218366 Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti. CVE-2023-49088 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-49088.html CVE-2023-49088 https://bugzilla.suse.com/1218379 SUSE Bug 1218379 Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available. CVE-2023-50250 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-50250.html CVE-2023-50250 https://bugzilla.suse.com/1218380 SUSE Bug 1218380 https://bugzilla.suse.com/1224231 SUSE Bug 1224231 Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `'managers.php'`. An authenticated attacker with the "Settings/Utilities" permission can send a crafted HTTP GET request to the endpoint `'/cacti/managers.php'` with an SQLi payload in the `'selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist. CVE-2023-51448 openSUSE Tumbleweed:cacti-1.2.26-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-51448.html CVE-2023-51448 https://bugzilla.suse.com/1218381 SUSE Bug 1218381