Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294573 (CVE-2009-4032) - <net-analyzer/cacti-0.8.7e-r1 Multiple XSS flaws (CVE-2009-{4032,4112})
Summary: <net-analyzer/cacti-0.8.7e-r1 Multiple XSS flaws (CVE-2009-{4032,4112})
Status: RESOLVED FIXED
Alias: CVE-2009-4032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/37109
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: 293268
  Show dependency tree
 
Reported: 2009-11-25 11:13 UTC by Peter Volkov (RETIRED)
Modified: 2009-12-21 00:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Volkov (RETIRED) gentoo-dev 2009-11-25 11:13:22 UTC
Cacti is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Cacti 0.8.7e is vulnerable; other versions may be affected as well. 

http://www.securityfocus.com/bid/37109

New version is in the tree. Arch teams, please, stabilize.
Comment 1 Brent Baude (RETIRED) gentoo-dev 2009-11-25 19:33:55 UTC
ppc64 done
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-26 10:46:07 UTC
x86 stable
Comment 3 Tobias Klausmann gentoo-dev 2009-11-29 14:41:39 UTC
Stable on alpha.
Comment 4 Markus Meier gentoo-dev 2009-11-30 10:47:20 UTC
amd64 stable
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-30 18:58:08 UTC
CVE-2009-4032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4032):
  Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
  allow remote attackers to inject arbitrary web script or HTML via
  vectors related to (1) graph.php, (2) include/top_graph_header.php,
  (3) lib/html_form.php, and (4) lib/timespan_settings.php.

Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 09:17:15 UTC
CVE-2009-4112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4112):
  Cacti 0.8.7e and earlier allows remote authenticated administrators
  to gain privileges by modifying the "Data Input Method" for the
  "Linux - Get Memory Usage" setting to contain arbitrary commands.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 18:51:33 UTC
sparc stable
Comment 8 Jeroen Roovers gentoo-dev 2009-12-20 16:59:48 UTC
Stable for PPC.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-21 00:21:42 UTC
All arches done. Closing noglsa.