Description: "An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution." https://github.com/Cacti/cacti/issues/4022 Fixed but no release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f85f1179fe8b92cc9c1eed6e363f8fde4b7bde7 commit 7f85f1179fe8b92cc9c1eed6e363f8fde4b7bde7 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-11 22:17:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-11 22:17:59 +0000 net-analyzer/cacti: patch CVE-2020-35701 Bug: https://bugs.gentoo.org/765019 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/cacti/cacti-1.2.16-r1.ebuild | 54 ++++ .../cacti/files/cacti-1.2.16-CVE-2020-35701.patch | 29 ++ .../cacti/files/cacti-1.2.16-XSS-issue-4019.patch | 360 +++++++++++++++++++++ 3 files changed, 443 insertions(+)
sparc stable
ALLARCHES stable. Closing.
This issue was resolved and addressed in GLSA 202101-31 at https://security.gentoo.org/glsa/202101-31 by GLSA coordinator Sam James (sam_c).
Reopening for cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=808d66f59c5fc0130a9b22a30f47ffcfb384be87 commit 808d66f59c5fc0130a9b22a30f47ffcfb384be87 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-26 23:46:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-26 23:46:24 +0000 net-analyzer/cacti: security cleanup Bug: https://bugs.gentoo.org/765019 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/cacti/Manifest | 1 - net-analyzer/cacti/cacti-1.2.14.ebuild | 48 --------------------------------- net-analyzer/cacti/cacti-1.2.16.ebuild | 49 ---------------------------------- 3 files changed, 98 deletions(-)