[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3252-1] cacti security update

Debian LTS Advisory DLA-3252-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
December 31, 2022                             https://wiki.debian.org/LTS

Package        : cacti
Version        : 1.2.2+ds1-2+deb10u5
CVE ID         : CVE-2020-8813 CVE-2020-23226 CVE-2020-25706 CVE-2022-0730 
Debian Bug     : 951832 1008693 1025648

Multiple security vulnerabilities were discovered in cacti, a web
interface for graphing of monitoring systems, which may result in
information disclosure, authentication bypass, or remote code execution.


    Askar discovered that an authenticated guest user with the graph
    real-time privilege could execute arbitrary code on a server running
    Cacti, via shell meta-characters in a cookie.


    Jing Chen discovered multiple Cross Site Scripting (XSS)
    vulnerabilities in several pages, which can lead to information


    joelister discovered an Cross Site Scripting (XSS) vulnerability in
    templates_import.php, which can lead to information disclosure.


    It has been discovered that Cacti authentication can be bypassed
    when LDAP anonymous binding is enabled.


    Stefan Schiller discovered a command injection vulnerability,
    allowing an unauthenticated user to execute arbitrary code on a
    server running Cacti, if a specific data source was selected (which
    is likely the case on a production instance) for any monitored

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: