Summary: | net-analyzer/cacti : multiple flaws (CVE-2014-{2326,2327,2328,2708,2709}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1082122 | ||
See Also: |
http://bugs.cacti.net/view.php?id=2431 http://bugs.cacti.net/view.php?id=2432 http://bugs.cacti.net/view.php?id=2433 |
||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-03-31 09:51:12 UTC
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability http://svn.cacti.net/viewvc?view=rev&revision=7443 bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability http://svn.cacti.net/viewvc?view=rev&revision=7442 CVE-2014-2326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2326): Cross-site scripting (XSS) vulnerability in Cacti 0.8.7g allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. One more (no CVE yet): http://www.openwall.com/lists/oss-security/2014/04/01/3 http://svn.cacti.net/viewvc?view=rev&revision=7393 http://bugs.cacti.net/view.php?id=2405 (undisclosed) CVE-2014-2328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2328): lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. CVE-2014-2327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2327): Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. CVE-2014-2709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2709): lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. CVE-2014-2708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2708): SQL injection vulnerability in graph_xport.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via unspecified vectors. This is fixed in 0.8.8c, we have 0.8.8d in tree. New GLSA Request filed. This issue was resolved and addressed in GLSA 201509-03 at https://security.gentoo.org/glsa/201509-03 by GLSA coordinator Kristian Fiskerstrand (K_F). |