Security update for cacti SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0479-1 Final 1 1 2015-03-04T10:45:13Z current 2015-03-04T10:45:13Z 2015-03-04T10:45:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti cacti was updated to version 0.8.8c [boo#920399] This update fixes four vulnerabilities and adds some compatible features. - Security fixes not previously patched: - CVE-2014-2326 - XSS issue via CDEF editing - CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability - CVE-2014-2328 - Remote Command Execution Vulnerability in graph export - CVE-2014-4002 - XSS issues in multiple files - CVE-2014-5025 - XSS issue via data source editing - CVE-2014-5026 - XSS issues in multiple files - Security fixes now upstream: - CVE-2013-5588 - XSS issue via installer or device editing - CVE-2013-5589 - SQL injection vulnerability in device editing New features: - New graph tree view - Updated graph list and graph preview - Refactor graph tree view to remove GPL incompatible code - Updated command line database upgrade utility - Graph zooming now from everywhere The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html E-Mail link for openSUSE-SU-2015:0479-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings cacti-0.8.8c-8.1 Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. CVE-2014-2327 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html https://www.suse.com/security/cve/CVE-2014-2327.html CVE-2014-2327 https://bugzilla.suse.com/920399 SUSE Bug 920399 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. CVE-2014-4002 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html https://www.suse.com/security/cve/CVE-2014-4002.html CVE-2014-4002 https://bugzilla.suse.com/884326 SUSE Bug 884326 https://bugzilla.suse.com/920399 SUSE Bug 920399 Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. CVE-2014-5025 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html https://www.suse.com/security/cve/CVE-2014-5025.html CVE-2014-5025 https://bugzilla.suse.com/888686 SUSE Bug 888686 https://bugzilla.suse.com/920399 SUSE Bug 920399 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. CVE-2014-5026 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html https://www.suse.com/security/cve/CVE-2014-5026.html CVE-2014-5026 https://bugzilla.suse.com/888686 SUSE Bug 888686 https://bugzilla.suse.com/920399 SUSE Bug 920399