Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 515108 (CVE-2014-4002) - <net-analyzer/cacti-0.8.8c: Cross-Site Scripting Vulnerability (CVE-2014-{4002,5025,5026})
Summary: <net-analyzer/cacti-0.8.8c: Cross-Site Scripting Vulnerability (CVE-2014-{400...
Status: RESOLVED FIXED
Alias: CVE-2014-4002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa cve]
Keywords:
: 540286 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-06-25 15:56 UTC by Agostino Sarubbo
Modified: 2015-09-24 16:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-25 15:56:07 UTC
From ${URL} :

Cacti upstream's svn [1] has a fix for CVE-2014-4002.
No more technical information is available unfortunately.
It might be that also the change before this revision is also involved [2].

[1] http://svn.cacti.net/viewvc?view=rev&revision=7452
[2] http://svn.cacti.net/viewvc?view=rev&revision=7451


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 18:18:20 UTC
CVE-2014-5026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5026):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow
  remote authenticated users with console access to inject arbitrary web
  script or HTML via a (1) Graph Tree Title in a delete or (2) edit action;
  (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a
  delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template
  Name in a delete or (9) duplicate action.

CVE-2014-5025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5025):
  Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b
  allows remote authenticated users with console access to inject arbitrary
  web script or HTML via the name_cache parameter in a ds_edit action.

CVE-2014-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4002):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow
  remote attackers to inject arbitrary web script or HTML via the (1)
  drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php,
  (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7)
  graphs.php, (8) host.php, or (9) host_templates.php or the (10)
  graph_template_input_id or (11) graph_template_id parameter to
  graph_templates_inputs.php.
Comment 2 Jeroen Roovers gentoo-dev 2015-02-16 18:13:50 UTC
*** Bug 540286 has been marked as a duplicate of this bug. ***
Comment 3 Jeroen Roovers gentoo-dev 2015-02-16 18:14:58 UTC
http://www.cacti.net/changelog.php :

 = 0.8.8c =

bug#0002383: Sanitize the step and id variables CVE-2013-5588, CVE-2013-5589
bug#0002405: SQL injection in graph_xport.php
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability
bug#0002432: CVE-2014-2327 Cross Site Request Forgery Vulnerability - Special Thanks to Deutsche Telekom CERT
bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability - Special Thanks to G. Geshev (munmap)
bug#0002455: Incomplete and incorrect input parsing leads to remote code execution and SQL injection attack scenarios
bug#0002456: CVE-2014-5025 / CVE-2014-5026 - Cross-Site Scripting Vulnerability - Special Thanks to Adan Alvarez and Paul Gevers
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-13 14:58:06 UTC
Fixed in 0.8.8c we have 0.8.8d stable in tree. 

Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 16:51:37 UTC
This issue was resolved and addressed in
 GLSA 201509-03 at https://security.gentoo.org/glsa/201509-03
by GLSA coordinator Kristian Fiskerstrand (K_F).