Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ca...@packages.debian.org Control: affects -1 + src:cacti User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
Security upload. Except CVE-2024-27082 that need
coordination with other packages.
[ Impact ]
CVEs are not closed including RCE
[ Tests ]
Automated test and manual test of the application by myself and others,
including users.
[ Risks ]
Low
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2024-25641: RCE vulnerability when importing packages
An arbitrary file write vulnerability, exploitable through the
"Package Import" feature, allows authenticated users having
the "Import Templates" permission to execute arbitrary PHP
code on the web server (RCE).
* Fix CVE-2024-29894: XSS vulnerability when using JavaScript
based messaging API.
raise_message_javascript from lib/functions.php now uses purify.js
to fix CVE-2023-50250 (among others).
However it still generates the code out of unescaped
PHP variables $title and $header.
If those variables contain single quotes, they can be used
to inject JavaScript code.
* Fix CVE-2024-31443. XSS vulnerability when managing data queries
Some of the data stored in form_save() function in data_queries.php
is not thoroughly checked and is used to concatenate the
HTML statement in grow_right_pane_tree() function from lib/html.php,
finally resulting in XSS.
* Fix CVE-2024-31444: XSS vulnerability when reading tree rules with
Automation API.
Some of the data stored in automation_tree_rules_form_save() function
in automation_tree_rules.php is not thoroughly checked and is used
to concatenate the HTML statement in form_confirm() function from
lib/html.php , finally resulting in XSS.
* Fix CVE-2024-31445: SQL injection vulnerability
A SQL injection vulnerability in `automation_get_new_graphs_sql`
function of `api_automation.php` allows authenticated users to exploit
these SQL injection vulnerabilities to perform privilege escalation
and remote code execution. In `api_automation.php` line 856, the
`get_request_var('filter')` is being concatenated into the SQL
statement without any sanitization. In `api_automation.php` line 717,
The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
filter for it
* Fix CVE-2024-31458: SQL injection vulnerability
Some of the data stored in `form_save()` function in
`graph_template_inputs.php` is not thoroughly checked and is used to
concatenate the SQL statement in
`draw_nontemplated_fields_graph_item()` function from
`lib/html_form_templates.php` , finally resulting in SQL injection
* Fix CVE-2024-31459: Remote code execution
There is a file inclusion issue in the lib/plugin.php file.
Combined with SQL injection vulnerabilities, RCE can be implemented.
* Fix CVE-2024-31460: SQL code injection
Some of the data stored in `automation_tree_rules.php` is not
thoroughly checked and is used to concatenate the SQL statement in
`create_all_header_nodes()` function from `lib/api_automation.php` ,
finally resulting in SQL injection. Using SQL based secondary
injection technology, attackers can modify the contents of the Cacti
database, and based on the modified content, it may be possible to
achieve further impact, such as arbitrary file reading, and even
remote code execution through arbitrary file writing
* Fix CVE-2024-34340: type juggling vulnerability
Cacti calls `compat_password_hash` when users set their
password. `compat_password_hash` use `password_hash` if there is it,
else use `md5`. When verifying password, it calls
`compat_password_verify`. In `compat_password_verify`,
`password_verify` is called if there is it, else use
`md5`. `password_verify` and `password_hash` are supported on PHP <
5.5.0, following PHP manual. The vulnerability is in
`compat_password_verify`. Md5-hashed user input is compared with
correct password in database by `$md5 == $hash`. It is a loose
comparison, not `===`.
signature.asc
Description: This is a digitally signed message part.
