From ${URL} : http://svn.cacti.net/viewvc/cacti/tags/0.8.8g/docs/CHANGELOG?revision=7788&view=markup -bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access http://bugs.cacti.net/view.php?id=2656 Classified by upstream as a security fix. Upstream fix is http://svn.cacti.net/viewvc?view=rev&revision=7770 https://bugzilla.suse.com/show_bug.cgi?id=965930 Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not. Fixed in tagged but (as of writing) unreleased 0.8.8g. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Added to existing GLSA.
CVE-2016-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3172): SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. CVE-2016-2313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313): auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database.
This issue was resolved and addressed in GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05 by GLSA coordinator Aaron Bauman (b-man).