cacti-1.2.27-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13962-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cacti-1.2.27-1.1 on GA media These are all security issues fixed in the cacti-1.2.27-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13962 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-25641/ SUSE CVE CVE-2024-25641 page https://www.suse.com/security/cve/CVE-2024-27082/ SUSE CVE CVE-2024-27082 page https://www.suse.com/security/cve/CVE-2024-29894/ SUSE CVE CVE-2024-29894 page https://www.suse.com/security/cve/CVE-2024-31443/ SUSE CVE CVE-2024-31443 page https://www.suse.com/security/cve/CVE-2024-31444/ SUSE CVE CVE-2024-31444 page https://www.suse.com/security/cve/CVE-2024-31445/ SUSE CVE CVE-2024-31445 page https://www.suse.com/security/cve/CVE-2024-31458/ SUSE CVE CVE-2024-31458 page https://www.suse.com/security/cve/CVE-2024-31459/ SUSE CVE CVE-2024-31459 page https://www.suse.com/security/cve/CVE-2024-31460/ SUSE CVE CVE-2024-31460 page https://www.suse.com/security/cve/CVE-2024-34340/ SUSE CVE CVE-2024-34340 page openSUSE Tumbleweed cacti-1.2.27-1.1 cacti-1.2.27-1.1 as a component of openSUSE Tumbleweed Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. CVE-2024-25641 openSUSE Tumbleweed:cacti-1.2.27-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-25641.html CVE-2024-25641 https://bugzilla.suse.com/1224229 SUSE Bug 1224229 Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue. CVE-2024-27082 openSUSE Tumbleweed:cacti-1.2.27-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-27082.html CVE-2024-27082 https://bugzilla.suse.com/1224230 SUSE Bug 1224230 Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue. CVE-2024-29894 openSUSE Tumbleweed:cacti-1.2.27-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-29894.html CVE-2024-29894 https://bugzilla.suse.com/1224231 SUSE Bug 1224231 Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. CVE-2024-31443 openSUSE Tumbleweed:cacti-1.2.27-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31443.html CVE-2024-31443 https://bugzilla.suse.com/1224235 SUSE Bug 1224235 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. CVE-2024-31444 openSUSE Tumbleweed:cacti-1.2.27-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31444.html CVE-2024-31444 https://bugzilla.suse.com/1224236 SUSE Bug 1224236 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. CVE-2024-31445 openSUSE Tumbleweed:cacti-1.2.27-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31445.html CVE-2024-31445 https://bugzilla.suse.com/1224237 SUSE Bug 1224237 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue. CVE-2024-31458 openSUSE Tumbleweed:cacti-1.2.27-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31458.html CVE-2024-31458 https://bugzilla.suse.com/1224240 SUSE Bug 1224240 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. CVE-2024-31459 openSUSE Tumbleweed:cacti-1.2.27-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31459.html CVE-2024-31459 https://bugzilla.suse.com/1224238 SUSE Bug 1224238 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. CVE-2024-31460 openSUSE Tumbleweed:cacti-1.2.27-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31460.html CVE-2024-31460 https://bugzilla.suse.com/1224239 SUSE Bug 1224239 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue. CVE-2024-34340 openSUSE Tumbleweed:cacti-1.2.27-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-34340.html CVE-2024-34340 https://bugzilla.suse.com/1224241 SUSE Bug 1224241