Mischa Sallé and Wilco Baan Hofman reported a security issue in cacti to
Debian when processing arguments passed to the graph settings script:
No CVE has currently been assigned. Additional information from RedHat at
"It was reported  that upstream fixed incomplete and incorrect input parsing,
that leads to remote code execution and SQL injection attack scenarios. "
SQL injection vulnerability in the graph settings script
(graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to
execute arbitrary SQL commands via unspecified vectors.
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier
allows remote attackers to execute arbitrary commands via shell
metacharacters in a font size, related to the rrdtool commandline in
Maintainers, please confirm if this was fixed in 0.8.8d. It looks like it was, but would like verification, as upstream page doe snot have the CVE's added.
Doesn't look like it was fixed until after the 0.8.9 tag:
0.8.9 is not available yet from upstream. Package has not been updated upstream in quite some time.
@maintainer(s), can this be backported and included in the tree?
Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05
by GLSA coordinator Aaron Bauman (b-man).