Accepted cacti 1.2.2+ds1-2+deb10u6 (source) into oldoldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted cacti 1.2.2+ds1-2+deb10u6 (source) into oldoldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 18 Mar 2024 18:00:19 +0000
Message-id: <[🔎] E1rmHHX-003TTZ-Ul@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Mar 2024 10:18:20 +0100
Source: cacti
Architecture: source
Version: 1.2.2+ds1-2+deb10u6
Distribution: buster-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1059254
Changes:
 cacti (1.2.2+ds1-2+deb10u6) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2023-39357: When the column type is numeric, the sql_save function
     directly utilizes user input. Many files and functions calling the
     sql_save function do not perform prior validation of user input,
     leading to the existence of multiple SQL injection vulnerabilities in
     Cacti. This allows authenticated users to exploit these SQL injection
     vulnerabilities to perform privilege escalation and remote code
     execution.
   * CVE-2023-39360: Stored Cross-Site-Scripting (XSS) Vulnerability allows
     an authenticated user to poison data. The vulnerability is found in
     `graphs_new.php`. Several validations are performed, but the
     `returnto` parameter is directly passed to `form_save_button`. In
     order to bypass this validation, returnto must contain
     `host.php`.
   * CVE-2023-39361: SQL injection discovered in graph_view.php. Since
     guest users can access graph_view.php without authentication by
     default, if guest users are being utilized in an enabled state, there
     could be the potential for significant damage. Attackers may exploit
     this vulnerability, and there may be povssibilities for actions such as
     the usurpation of administrative privileges or remote code execution.
   * CVE-2023-39362: An authenticated privileged user, can use a malicious
     string in the SNMP options of a Device, performing command injection
     and obtaining remote code execution on the underlying server. The
     `lib/snmp.php` file has a set of functions, with similar behavior,
     that accept in input some variables and place them into an `exec` call
     without a proper escape or validation.
   * CVE-2023-39364: Users with console access can be redirected to an
     arbitrary website after a change password performed via a specifically
     crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL
     parameter and reflects it in the form used to perform the change
     password. It's value is used to perform a redirect via `header` PHP
     function. A user can be tricked in performing the change password
     operation, e.g., via a phishing message, and then interacting with the
     malicious website where the redirection has been performed, e.g.,
     downloading malwares, providing credentials, etc.
   * CVE-2023-39365: Issues with Cacti Regular Expression validation
     combined with the external links feature can lead to limited SQL
     Injections and subsequent data leakage.
   * CVE-2023-39513: Stored Cross-Site-Scripting (XSS) Vulnerability which
     allows an authenticated user to poison data stored in the _cacti_'s
     database. The script under `host.php` is used to monitor and manage
     hosts in the _cacti_ app, hence displays useful information such as
     data queries and verbose logs.
   * CVE-2023-39515: Stored Cross-Site-Scripting (XSS) Vulnerability allows
     an authenticated user to poison data stored in the cacti's
     database. These data will be viewed by administrative cacti accounts
     and execute JavaScript code in the victim's browser at view-time. The
     script under `data_debug.php` displays data source related debugging
     information such as _data source paths, polling settings, meta-data on
     the data source_.
   * CVE-2023-39516: Stored Cross-Site-Scripting (XSS) Vulnerability which
     allows an authenticated user to poison data stored in the _cacti_'s
     database. These data will be viewed by administrative _cacti_ accounts
     and execute JavaScript code in the victim's browser at view-time. The
     script under `data_sources.php` displays the data source management
     information (e.g. data source path, polling configuration etc.) for
     different data visualizations of the _cacti_ app.
   * CVE-2023-49084: While using the detected SQL Injection and
     insufficient processing of the include file path, it is possible to
     execute arbitrary code on the server. Exploitation of the
     vulnerability is possible for an authorized user. The vulnerable
     component is the `link.php`. (Closes: #1059254)
   * CVE-2023-49085: It is possible to execute arbitrary SQL code through
     the `pollers.php` script. An authorized user may be able to execute
     arbitrary SQL code. The vulnerable component is the `pollers.php`.
   * CVE-2023-49086: Bypassing an earlier fix (CVE-2023-39360) that leads
     to a DOM XSS attack. Exploitation of the vulnerability is possible for
     an authorized user. The vulnerable component is the
     `graphs_new.php`. (Closes: #1059254)
   * CVE-2023-49088: The fix applied for CVE-2023-39515 in version 1.2.25
     is incomplete as it enables an adversary to have a victim browser
     execute malicious code when a victim user hovers their mouse over the
     malicious data source path in `data_debug.php`.
Checksums-Sha1:
 96bb3a61d874b07d175cc0bb17fa65b373c24a24 2486 cacti_1.2.2+ds1-2+deb10u6.dsc
 02bc6a28fbad0839c88a2b346ec8c2f7c8f1b719 103860 cacti_1.2.2+ds1-2+deb10u6.debian.tar.xz
 5eded9afe2002531bdfd6af4785b41b6e88582a7 5778 cacti_1.2.2+ds1-2+deb10u6_all.buildinfo
Checksums-Sha256:
 0014cf44ba13090ec558cd8a6a4ac65628f1eb7cc1a3f5b372249dab211f72d1 2486 cacti_1.2.2+ds1-2+deb10u6.dsc
 0a17a19c744ad92ab985312a2c7b577bf5ee778aa80997b0ab73423c2c7f509e 103860 cacti_1.2.2+ds1-2+deb10u6.debian.tar.xz
 0ddc2970842d7f11a3b6a2d6001c97901395834deca8a0a4ba8c640f1ecf5255 5778 cacti_1.2.2+ds1-2+deb10u6_all.buildinfo
Files:
 979f57f00351f8e465e7da6f57e1bdfe 2486 web optional cacti_1.2.2+ds1-2+deb10u6.dsc
 3331f42755006df5a48b5f6204933012 103860 web optional cacti_1.2.2+ds1-2+deb10u6.debian.tar.xz
 b2f0cab815e345345d16bcb1e346531c 5778 web optional cacti_1.2.2+ds1-2+deb10u6_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmX4floACgkQDTl9HeUl
XjBc2Q//Rbsm4yoZ49gbbF1Yw3T5V7tb88GLks+E8n1LPC8zZUrSnN2FDK0c/oGN
jpPTyxBT4Zfm1/eifQaS7gddQzvDNiNCjERf1eQ2m6GiLwmIdmdvzTBgK7fwQGZp
m7OL1zsdvVJsbsfKUcfImBBf4QcRmGmOeFRs7fludrgNPJHmOtTtfW0BwMNwtnaP
wi0D/Qt/HqCk1CR2nWX2VKWIqkEIXxXnWaoXhOzL9hIky6IpWkiesWsaUwmvEdvC
pMtqVHQ4SoyuvDDJlC7D9TaM4btCYDc4sRviK1rBRjp+2sAW1aqw9xjgLMIbWxPC
S1mQ8rvOYq8o30x4SSPdY6IxOD7HiKopc7At2Bpgu/F1P6ApWnDUyKrzWX/dVx4D
iunU8/YTobi+WmB8mu6ubEXbQ/T4e7ZbEnUnbW93bvT7pSY483XcRz3xLfad5J06
aVzFJ/h57s3OpYCWstOmDW1QrtCITHNi3feNfJ/xV0GEceQMd8Tw41K4KYt0HZdo
8D9VTzjT36RlbhHDWAK6arYbgs7wockVP+qCpFtX0scyJ20NuvpIq4dQyENoGeid
88/Bzjcsyn3HMWXEtp2a+pq4e8BlZlepQXZUFNvEXFpZAl1QoI72Q4zY9p0Db+9L
2VgMNWOKuLxstvMipTAeuyHEePCBSFYPELweSW+0QVmAy8alNjM=
=n9Vz
-----END PGP SIGNATURE-----

Attachment: pgppAsh6OHuwx.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted postgresql-11 11.22-0+deb10u2 (source) into oldoldstable
Next by Date: Accepted zfs-linux 0.7.12-2+deb10u3 (source amd64 all) into oldoldstable
Previous by thread: Accepted postgresql-11 11.22-0+deb10u2 (source) into oldoldstable
Next by thread: Accepted zfs-linux 0.7.12-2+deb10u3 (source amd64 all) into oldoldstable
Index(es):
- Date
- Thread