Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294573 (CVE-2009-4032)

Summary: <net-analyzer/cacti-0.8.7e-r1 Multiple XSS flaws (CVE-2009-{4032,4112})
Product: Gentoo Security Reporter: Peter Volkov (RETIRED) <pva>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 293268    

Description Peter Volkov (RETIRED) gentoo-dev 2009-11-25 11:13:22 UTC
Cacti is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Cacti 0.8.7e is vulnerable; other versions may be affected as well.

New version is in the tree. Arch teams, please, stabilize.
Comment 1 Brent Baude (RETIRED) gentoo-dev 2009-11-25 19:33:55 UTC
ppc64 done
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-26 10:46:07 UTC
x86 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-29 14:41:39 UTC
Stable on alpha.
Comment 4 Markus Meier gentoo-dev 2009-11-30 10:47:20 UTC
amd64 stable
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:58:08 UTC
CVE-2009-4032 (
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
  allow remote attackers to inject arbitrary web script or HTML via
  vectors related to (1) graph.php, (2) include/top_graph_header.php,
  (3) lib/html_form.php, and (4) lib/timespan_settings.php.

Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-03 09:17:15 UTC
CVE-2009-4112 (
  Cacti 0.8.7e and earlier allows remote authenticated administrators
  to gain privileges by modifying the "Data Input Method" for the
  "Linux - Get Memory Usage" setting to contain arbitrary commands.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 18:51:33 UTC
sparc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-20 16:59:48 UTC
Stable for PPC.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-21 00:21:42 UTC
All arches done. Closing noglsa.