Cacti is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Cacti 0.8.7e is vulnerable; other versions may be affected as well. http://www.securityfocus.com/bid/37109 New version is in the tree. Arch teams, please, stabilize.
ppc64 done
x86 stable
Stable on alpha.
amd64 stable
CVE-2009-4032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4032): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php.
CVE-2009-4112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4112): Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
sparc stable
Stable for PPC.
All arches done. Closing noglsa.