Summary: | <net-analyzer/cacti-0.8.8h: Authentication using web authentication as a user not in the,cacti database allows complete access | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/02/09/3 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-02-11 10:52:18 UTC
Added to existing GLSA. CVE-2016-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3172): SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. CVE-2016-2313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313): auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. This issue was resolved and addressed in GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05 by GLSA coordinator Aaron Bauman (b-man). |