Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-49085 (GCVE-0-2023-49085)
Vulnerability from cvelistv5 – Published: 2023-12-22 16:13 – Updated: 2026-02-25 16:34
VLAI
EPSS
Title
Cacti SQL Injection vulnerability
Summary
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.
Severity
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
5 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"name": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49085",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-26T04:00:41.098767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:34:32.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cacti",
"vendor": "Cacti",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.2.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:09:44.327Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"name": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
}
],
"source": {
"advisory": "GHSA-vr3c-38wh-g855",
"discovery": "UNKNOWN"
},
"title": "Cacti SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49085",
"datePublished": "2023-12-22T16:13:13.259Z",
"dateReserved": "2023-11-21T18:57:30.428Z",
"dateUpdated": "2026-02-25T16:34:32.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-49085",
"date": "2026-05-29",
"epss": "0.91404",
"percentile": "0.99677"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2.25\", \"matchCriteriaId\": \"C37D52EF-53D7-4D25-A805-BA4071CADB84\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.\"}, {\"lang\": \"es\", \"value\": \"Cacti proporciona un framework de monitoreo operativo y gesti\\u00f3n de fallos. En las versiones 1.2.25 y anteriores, es posible ejecutar c\\u00f3digo SQL arbitrario a trav\\u00e9s del script `pollers.php`. Un usuario autorizado puede ejecutar c\\u00f3digo SQL arbitrario. El componente vulnerable es `pollers.php`. Impacto de la vulnerabilidad: ejecuci\\u00f3n de c\\u00f3digo SQL arbitrario. En el momento de la publicaci\\u00f3n, no parece existir ning\\u00fan parche.\"}]",
"id": "CVE-2023-49085",
"lastModified": "2024-11-21T08:32:47.443",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2023-12-22T17:15:07.990",
"references": "[{\"url\": \"http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-49085\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-12-22T17:15:07.990\",\"lastModified\":\"2024-11-21T08:32:47.443\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.\"},{\"lang\":\"es\",\"value\":\"Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallos. En las versiones 1.2.25 y anteriores, es posible ejecutar c\u00f3digo SQL arbitrario a trav\u00e9s del script `pollers.php`. Un usuario autorizado puede ejecutar c\u00f3digo SQL arbitrario. El componente vulnerable es `pollers.php`. Impacto de la vulnerabilidad: ejecuci\u00f3n de c\u00f3digo SQL arbitrario. En el momento de la publicaci\u00f3n, no parece existir ning\u00fan parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.25\",\"matchCriteriaId\":\"C37D52EF-53D7-4D25-A805-BA4071CADB84\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Title
Уязвимость сценария pollers.php программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость сценария pollers.php программного средства мониторинга сети Cacti связана с отсутствием защиты структуры запроса SQL. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код
Severity
Vendor
The Cacti Group Inc.
Software Name
Cacti
Software Version
до 1.2.26 (Cacti)
Possible Mitigations
Обновление программного обеспечения до версии 1.2.26 и выше
Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-49085
https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451
CWE
CWE-89
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "The Cacti Group Inc.",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 1.2.26 (Cacti)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.2.26 \u0438 \u0432\u044b\u0448\u0435",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.12.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "28.11.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "09.02.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-01113",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-49085",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Cacti",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f pollers.php \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0441\u0435\u0442\u0438 Cacti, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL (\u0430\u0442\u0430\u043a\u0438 \u0442\u0438\u043f\u0430 \\\"\u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 SQL\\\") (CWE-89)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f pollers.php \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0441\u0435\u0442\u0438 Cacti \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435\u043c \u0437\u0430\u0449\u0438\u0442\u044b \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0430 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c: \u0410\u043b\u0435\u043a\u0441\u0435\u0439 \u0421\u043e\u043b\u043e\u0432\u044c\u0435\u0432 (Positive Technologies)",
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2023-49085 \nhttps://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855\nhttps://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-89",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,8)"
}
FKIE_CVE-2023-49085
Vulnerability from fkie_nvd - Published: 2023-12-22 17:15 - Updated: 2024-11-21 08:32
Severity
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C37D52EF-53D7-4D25-A805-BA4071CADB84",
"versionEndIncluding": "1.2.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist."
},
{
"lang": "es",
"value": "Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallos. En las versiones 1.2.25 y anteriores, es posible ejecutar c\u00f3digo SQL arbitrario a trav\u00e9s del script `pollers.php`. Un usuario autorizado puede ejecutar c\u00f3digo SQL arbitrario. El componente vulnerable es `pollers.php`. Impacto de la vulnerabilidad: ejecuci\u00f3n de c\u00f3digo SQL arbitrario. En el momento de la publicaci\u00f3n, no parece existir ning\u00fan parche."
}
],
"id": "CVE-2023-49085",
"lastModified": "2024-11-21T08:32:47.443",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-22T17:15:07.990",
"references": [
{
"source": "security-advisories@github.com",
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GSD-2023-49085
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-49085",
"id": "GSD-2023-49085"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-49085"
],
"details": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.",
"id": "GSD-2023-49085",
"modified": "2023-12-13T01:20:35.336851Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-49085",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cacti",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c= 1.2.25"
}
]
}
}
]
},
"vendor_name": "Cacti"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-89",
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855",
"refsource": "MISC",
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"name": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451",
"refsource": "MISC",
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"name": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
}
]
},
"source": {
"advisory": "GHSA-vr3c-38wh-g855",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C37D52EF-53D7-4D25-A805-BA4071CADB84",
"versionEndIncluding": "1.2.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist."
},
{
"lang": "es",
"value": "Cacti proporciona un framework de monitoreo operativo y gesti\u00f3n de fallos. En las versiones 1.2.25 y anteriores, es posible ejecutar c\u00f3digo SQL arbitrario a trav\u00e9s del script `pollers.php`. Un usuario autorizado puede ejecutar c\u00f3digo SQL arbitrario. El componente vulnerable es `pollers.php`. Impacto de la vulnerabilidad: ejecuci\u00f3n de c\u00f3digo SQL arbitrario. En el momento de la publicaci\u00f3n, no parece existir ning\u00fan parche."
}
],
"id": "CVE-2023-49085",
"lastModified": "2024-03-18T20:15:08.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2023-12-22T17:15:07.990",
"references": [
{
"source": "security-advisories@github.com",
"url": "http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
}
}
}
OPENSUSE-SU-2024:0031-1
Vulnerability from csaf_opensuse - Published: 2024-01-24 12:47 - Updated: 2024-01-24 12:47Summary
Security update for cacti, cacti-spine
Severity
Important
Notes
Title of the patch: Security update for cacti, cacti-spine
Description of the patch: This update for cacti, cacti-spine fixes the following issues:
cacti-spine 1.2.26:
* Fix: Errors when uptime OID is not present
* Fix: MySQL reconnect option is depreciated
* Fix: Spine does not check a host with no poller items
* Fix: Poller may report the wrong number of devices polled
* Feature: Allow users to override the threads setting at the command line
* Feature: Allow spine to run in ping-only mode
cacti 1.2.26:
* CVE-2023-50250: XSS vulnerability when importing a template file (boo#1218380)
* CVE-2023-49084: RCE vulnerability when managing links (boo#1218360)
* CVE-2023-49085: SQL Injection vulnerability when managing poller devices (boo#1218378)
* CVE-2023-49086: XSS vulnerability when adding new devices (boo#1218366)
* CVE-2023-49088: XSS vulnerability when viewing data sources in debug mode (boo#1218379)
* CVE-2023-51448: SQL Injection vulnerability when managing SNMP Notification Receivers (boo#1218381)
* When viewing data sources, an undefined variable error may be seen
* Improvements for Poller Last Run Date
* Attempting to edit a Data Query that does not exist throws warnings and not an GUI error
* Improve PHP 8.1 support when adding devices
* Viewing Data Query Cache can cause errors to be logged
* Preserve option is not properly honoured when removing devices at command line
* Infinite recursion is possible during a database failure
* Monitoring Host CPU's does not always work on Windows endpoints
* Multi select drop down list box not rendered correctly in Chrome and Edge
* Selective Plugin Debugging may not always work as intended
* During upgrades, Plugins may be falsely reported as incompatible
* Plugin management at command line does not work with multiple plugins
* Improve PHP 8.1 support for incrementing only numbers
* Allow the renaming of guest and template accounts
* DS Stats issues warnings when the RRDfile has not been initialized
* When upgrading, missing data source profile can cause errors to be logged
* When deleting a single Data Source, purge historical debug data
* Improvements to form element warnings
* Some interface aliases do not appear correctly
* Aggregate graph does not show other percentiles
* Settings table updates for large values reverted by database repair
* When obtaining graph records, error messages may be recorded
* Unable to change a device's community at command line
* Increase timeout for RRDChecker
* When viewing a graph, option to edit template may lead to incorrect URL
* When upgrading, failures may occur due to missing color table keys
* On installation, allow a more appropriate template to be used as the default
* When data input parameters are allowed to be null, allow null
* CSV Exports may not always output data correctly
* When debugging a graph, long CDEF's can cause undesirable scrolling
* Secondary LDAP server not evaluated when the first one has failed
* When adding a device, using the bulk walk option can make version information appear
* When parsing a Data Query resource, an error can be reported if no direction is specified
* Database reconnection can cause errors to be reported incorrectly
* fix returned value if $sau is empty
* Add Aruba switch, Aruba controller and HPE iLO templates
* Add OSCX 6x00 templates
Patchnames: openSUSE-2024-31
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.4 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.8 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.8 (High)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cacti, cacti-spine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cacti, cacti-spine fixes the following issues:\n\ncacti-spine 1.2.26:\n\n* Fix: Errors when uptime OID is not present\n* Fix: MySQL reconnect option is depreciated\n* Fix: Spine does not check a host with no poller items\n* Fix: Poller may report the wrong number of devices polled\n* Feature: Allow users to override the threads setting at the command line\n* Feature: Allow spine to run in ping-only mode\n\ncacti 1.2.26:\n\n* CVE-2023-50250: XSS vulnerability when importing a template file (boo#1218380)\n* CVE-2023-49084: RCE vulnerability when managing links (boo#1218360)\n* CVE-2023-49085: SQL Injection vulnerability when managing poller devices (boo#1218378)\n* CVE-2023-49086: XSS vulnerability when adding new devices (boo#1218366)\n* CVE-2023-49088: XSS vulnerability when viewing data sources in debug mode (boo#1218379)\n* CVE-2023-51448: SQL Injection vulnerability when managing SNMP Notification Receivers (boo#1218381)\n* When viewing data sources, an undefined variable error may be seen\n* Improvements for Poller Last Run Date\n* Attempting to edit a Data Query that does not exist throws warnings and not an GUI error\n* Improve PHP 8.1 support when adding devices\n* Viewing Data Query Cache can cause errors to be logged\n* Preserve option is not properly honoured when removing devices at command line\n* Infinite recursion is possible during a database failure\n* Monitoring Host CPU\u0027s does not always work on Windows endpoints\n* Multi select drop down list box not rendered correctly in Chrome and Edge\n* Selective Plugin Debugging may not always work as intended\n* During upgrades, Plugins may be falsely reported as incompatible\n* Plugin management at command line does not work with multiple plugins\n* Improve PHP 8.1 support for incrementing only numbers\n* Allow the renaming of guest and template accounts\n* DS Stats issues warnings when the RRDfile has not been initialized\n* When upgrading, missing data source profile can cause errors to be logged\n* When deleting a single Data Source, purge historical debug data\n* Improvements to form element warnings\n* Some interface aliases do not appear correctly\n* Aggregate graph does not show other percentiles\n* Settings table updates for large values reverted by database repair\n* When obtaining graph records, error messages may be recorded\n* Unable to change a device\u0027s community at command line\n* Increase timeout for RRDChecker\n* When viewing a graph, option to edit template may lead to incorrect URL\n* When upgrading, failures may occur due to missing color table keys\n* On installation, allow a more appropriate template to be used as the default\n* When data input parameters are allowed to be null, allow null\n* CSV Exports may not always output data correctly\n* When debugging a graph, long CDEF\u0027s can cause undesirable scrolling\n* Secondary LDAP server not evaluated when the first one has failed\n* When adding a device, using the bulk walk option can make version information appear\n* When parsing a Data Query resource, an error can be reported if no direction is specified\n* Database reconnection can cause errors to be reported incorrectly\n* fix returned value if $sau is empty\n* Add Aruba switch, Aruba controller and HPE iLO templates\n* Add OSCX 6x00 templates\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-31",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0031-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0031-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZJKJNYP7JFJ3XMRIGZT22J5DIAVPSY7/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0031-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZJKJNYP7JFJ3XMRIGZT22J5DIAVPSY7/"
},
{
"category": "self",
"summary": "SUSE Bug 1218360",
"url": "https://bugzilla.suse.com/1218360"
},
{
"category": "self",
"summary": "SUSE Bug 1218366",
"url": "https://bugzilla.suse.com/1218366"
},
{
"category": "self",
"summary": "SUSE Bug 1218378",
"url": "https://bugzilla.suse.com/1218378"
},
{
"category": "self",
"summary": "SUSE Bug 1218379",
"url": "https://bugzilla.suse.com/1218379"
},
{
"category": "self",
"summary": "SUSE Bug 1218380",
"url": "https://bugzilla.suse.com/1218380"
},
{
"category": "self",
"summary": "SUSE Bug 1218381",
"url": "https://bugzilla.suse.com/1218381"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49084 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49084/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49085 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49085/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49086 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49086/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49088 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-50250 page",
"url": "https://www.suse.com/security/cve/CVE-2023-50250/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-51448 page",
"url": "https://www.suse.com/security/cve/CVE-2023-51448/"
}
],
"title": "Security update for cacti, cacti-spine",
"tracking": {
"current_release_date": "2024-01-24T12:47:05Z",
"generator": {
"date": "2024-01-24T12:47:05Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0031-1",
"initial_release_date": "2024-01-24T12:47:05Z",
"revision_history": [
{
"date": "2024-01-24T12:47:05Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"product": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"product_id": "cacti-spine-1.2.26-bp155.2.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.26-bp155.2.6.1.i586",
"product": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.i586",
"product_id": "cacti-spine-1.2.26-bp155.2.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.26-bp155.2.6.1.noarch",
"product": {
"name": "cacti-1.2.26-bp155.2.6.1.noarch",
"product_id": "cacti-1.2.26-bp155.2.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"product": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"product_id": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.26-bp155.2.6.1.s390x",
"product": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.s390x",
"product_id": "cacti-spine-1.2.26-bp155.2.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"product": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"product_id": "cacti-spine-1.2.26-bp155.2.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-bp155.2.6.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch"
},
"product_reference": "cacti-1.2.26-bp155.2.6.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.aarch64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.i586 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.i586",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.s390x as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.x86_64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-bp155.2.6.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch"
},
"product_reference": "cacti-1.2.26-bp155.2.6.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-bp155.2.6.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch"
},
"product_reference": "cacti-1.2.26-bp155.2.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.26-bp155.2.6.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
},
"product_reference": "cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-49084",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49084"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server. ",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49084",
"url": "https://www.suse.com/security/cve/CVE-2023-49084"
},
{
"category": "external",
"summary": "SUSE Bug 1218360 for CVE-2023-49084",
"url": "https://bugzilla.suse.com/1218360"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "important"
}
],
"title": "CVE-2023-49084"
},
{
"cve": "CVE-2023-49085",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49085"
}
],
"notes": [
{
"category": "general",
"text": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49085",
"url": "https://www.suse.com/security/cve/CVE-2023-49085"
},
{
"category": "external",
"summary": "SUSE Bug 1218378 for CVE-2023-49085",
"url": "https://bugzilla.suse.com/1218378"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "important"
}
],
"title": "CVE-2023-49085"
},
{
"cve": "CVE-2023-49086",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49086"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user\u0027s browser. This issue has been patched in version 1.2.27.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49086",
"url": "https://www.suse.com/security/cve/CVE-2023-49086"
},
{
"category": "external",
"summary": "SUSE Bug 1218366 for CVE-2023-49086",
"url": "https://bugzilla.suse.com/1218366"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "moderate"
}
],
"title": "CVE-2023-49086"
},
{
"cve": "CVE-2023-49088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49088"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration\u003eSites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://\u003cHOST\u003e/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49088",
"url": "https://www.suse.com/security/cve/CVE-2023-49088"
},
{
"category": "external",
"summary": "SUSE Bug 1218379 for CVE-2023-49088",
"url": "https://bugzilla.suse.com/1218379"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "moderate"
}
],
"title": "CVE-2023-49088"
},
{
"cve": "CVE-2023-50250",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-50250"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-50250",
"url": "https://www.suse.com/security/cve/CVE-2023-50250"
},
{
"category": "external",
"summary": "SUSE Bug 1218380 for CVE-2023-50250",
"url": "https://bugzilla.suse.com/1218380"
},
{
"category": "external",
"summary": "SUSE Bug 1224231 for CVE-2023-50250",
"url": "https://bugzilla.suse.com/1224231"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "moderate"
}
],
"title": "CVE-2023-50250"
},
{
"cve": "CVE-2023-51448",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-51448"
}
],
"notes": [
{
"category": "general",
"text": "Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `\u0027managers.php\u0027`. An authenticated attacker with the \"Settings/Utilities\" permission can send a crafted HTTP GET request to the endpoint `\u0027/cacti/managers.php\u0027` with an SQLi payload in the `\u0027selected_graphs_array\u0027` HTTP GET parameter. As of time of publication, no patched versions exist.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-51448",
"url": "https://www.suse.com/security/cve/CVE-2023-51448"
},
{
"category": "external",
"summary": "SUSE Bug 1218381 for CVE-2023-51448",
"url": "https://bugzilla.suse.com/1218381"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"SUSE Package Hub 15 SP5:cacti-1.2.26-bp155.2.6.1.noarch",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"SUSE Package Hub 15 SP5:cacti-spine-1.2.26-bp155.2.6.1.x86_64",
"openSUSE Leap 15.5:cacti-1.2.26-bp155.2.6.1.noarch",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.aarch64",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.i586",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.ppc64le",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.s390x",
"openSUSE Leap 15.5:cacti-spine-1.2.26-bp155.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-24T12:47:05Z",
"details": "important"
}
],
"title": "CVE-2023-51448"
}
]
}
OPENSUSE-SU-2024:13533-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
cacti-1.2.26-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: cacti-1.2.26-1.1 on GA media
Description of the patch: These are all security issues fixed in the cacti-1.2.26-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13533
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cacti-1.2.26-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cacti-1.2.26-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13533",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13533-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49084 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49084/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49085 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49085/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49086 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49086/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-49088 page",
"url": "https://www.suse.com/security/cve/CVE-2023-49088/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-50250 page",
"url": "https://www.suse.com/security/cve/CVE-2023-50250/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-51448 page",
"url": "https://www.suse.com/security/cve/CVE-2023-51448/"
}
],
"title": "cacti-1.2.26-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13533-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.26-1.1.aarch64",
"product": {
"name": "cacti-1.2.26-1.1.aarch64",
"product_id": "cacti-1.2.26-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.26-1.1.ppc64le",
"product": {
"name": "cacti-1.2.26-1.1.ppc64le",
"product_id": "cacti-1.2.26-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.26-1.1.s390x",
"product": {
"name": "cacti-1.2.26-1.1.s390x",
"product_id": "cacti-1.2.26-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.26-1.1.x86_64",
"product": {
"name": "cacti-1.2.26-1.1.x86_64",
"product_id": "cacti-1.2.26-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64"
},
"product_reference": "cacti-1.2.26-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le"
},
"product_reference": "cacti-1.2.26-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x"
},
"product_reference": "cacti-1.2.26-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.26-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
},
"product_reference": "cacti-1.2.26-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-49084",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49084"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server. ",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49084",
"url": "https://www.suse.com/security/cve/CVE-2023-49084"
},
{
"category": "external",
"summary": "SUSE Bug 1218360 for CVE-2023-49084",
"url": "https://bugzilla.suse.com/1218360"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-49084"
},
{
"cve": "CVE-2023-49085",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49085"
}
],
"notes": [
{
"category": "general",
"text": "Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49085",
"url": "https://www.suse.com/security/cve/CVE-2023-49085"
},
{
"category": "external",
"summary": "SUSE Bug 1218378 for CVE-2023-49085",
"url": "https://bugzilla.suse.com/1218378"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-49085"
},
{
"cve": "CVE-2023-49086",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49086"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user\u0027s browser. This issue has been patched in version 1.2.27.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49086",
"url": "https://www.suse.com/security/cve/CVE-2023-49086"
},
{
"category": "external",
"summary": "SUSE Bug 1218366 for CVE-2023-49086",
"url": "https://bugzilla.suse.com/1218366"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-49086"
},
{
"cve": "CVE-2023-49088",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-49088"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration\u003eSites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://\u003cHOST\u003e/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-49088",
"url": "https://www.suse.com/security/cve/CVE-2023-49088"
},
{
"category": "external",
"summary": "SUSE Bug 1218379 for CVE-2023-49088",
"url": "https://bugzilla.suse.com/1218379"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-49088"
},
{
"cve": "CVE-2023-50250",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-50250"
}
],
"notes": [
{
"category": "general",
"text": "Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-50250",
"url": "https://www.suse.com/security/cve/CVE-2023-50250"
},
{
"category": "external",
"summary": "SUSE Bug 1218380 for CVE-2023-50250",
"url": "https://bugzilla.suse.com/1218380"
},
{
"category": "external",
"summary": "SUSE Bug 1224231 for CVE-2023-50250",
"url": "https://bugzilla.suse.com/1224231"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-50250"
},
{
"cve": "CVE-2023-51448",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-51448"
}
],
"notes": [
{
"category": "general",
"text": "Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `\u0027managers.php\u0027`. An authenticated attacker with the \"Settings/Utilities\" permission can send a crafted HTTP GET request to the endpoint `\u0027/cacti/managers.php\u0027` with an SQLi payload in the `\u0027selected_graphs_array\u0027` HTTP GET parameter. As of time of publication, no patched versions exist.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-51448",
"url": "https://www.suse.com/security/cve/CVE-2023-51448"
},
{
"category": "external",
"summary": "SUSE Bug 1218381 for CVE-2023-51448",
"url": "https://bugzilla.suse.com/1218381"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.26-1.1.aarch64",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.s390x",
"openSUSE Tumbleweed:cacti-1.2.26-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-51448"
}
]
}
WID-SEC-W-2023-3221
Vulnerability from csaf_certbund - Published: 2023-12-26 23:00 - Updated: 2024-05-21 22:00Summary
Cacti: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Cacti ist ein grafisches Frontend zur Visualisierung von statistischen Daten, erfasst durch die Round Robin Database rrdtool.
Angriff: Ein entfernter, anonymer oder authentifizierter Angreifer kann mehrere Schwachstellen in Cacti ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen oder XSS-Angriffe durchzuführen.
Betroffene Betriebssysteme: - Linux
- MacOS X
- Windows
Es besteht eine Schwachstelle in Cacti. Dieser Fehler besteht in der Datei link.php aufgrund einer unzureichenden Verarbeitung des Pfades der Include-Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code auf dem Server ausnutzen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
Es bestehen mehrere Schwachstellen in Cacti. Diese Fehler bestehen aufgrund eines SQL Injection Problems in der SNMP Notification Receivers Funktion und in der pollers.php Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuführen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
Es bestehen mehrere Schwachstellen in Cacti. Diese Fehler bestehen aufgrund eines SQL Injection Problems in der SNMP Notification Receivers Funktion und in der pollers.php Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuführen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in mehrere php-Komponenten nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in mehrere php-Komponenten nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in templates_import.php und database nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, authentifiziert Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in templates_import.php und database nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, authentifiziert Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— |
References
13 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Cacti ist ein grafisches Frontend zur Visualisierung von statistischen Daten, erfasst durch die Round Robin Database rrdtool.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentifizierter Angreifer kann mehrere Schwachstellen in Cacti ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen oder XSS-Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- MacOS X\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-3221 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3221.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-3221 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3221"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2024-1915 vom 2024-02-06",
"url": "https://alas.aws.amazon.com/ALAS-2024-1915.html"
},
{
"category": "external",
"summary": "Cacti Changelog Information vom 2023-12-26",
"url": "https://www.cacti.net/info/changelog/1.2.26"
},
{
"category": "external",
"summary": "Red Hat Bugzilla Security Notification vom 2023-12-26",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255601"
},
{
"category": "external",
"summary": "Red Hat Bugzilla Security Notification vom 2023-12-26",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255605"
},
{
"category": "external",
"summary": "Red Hat Bugzilla Security Notification vom 2023-12-26",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255645"
},
{
"category": "external",
"summary": "Red Hat Bugzilla Security Notification vom 2023-12-26",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255666"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-3765 vom 2024-03-18",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5646 vom 2024-03-24",
"url": "https://lists.debian.org/debian-security-announce/2024/msg00054.html"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-EPEL-2024-17176C2215 vom 2024-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-17176c2215"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-EPEL-2024-D0445178A9 vom 2024-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-d0445178a9"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-EPEL-2024-4EA9DDC0F7 vom 2024-05-22",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-4ea9ddc0f7"
}
],
"source_lang": "en-US",
"title": "Cacti: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-05-21T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:11.027+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-3221",
"initial_release_date": "2023-12-26T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-12-26T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-02-05T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-03-18T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2024-03-24T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2024-05-21T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Fedora aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.2.26",
"product": {
"name": "Open Source Cacti \u003c1.2.26",
"product_id": "T031821"
}
}
],
"category": "product_name",
"name": "Cacti"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-49084",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Cacti. Dieser Fehler besteht in der Datei link.php aufgrund einer unzureichenden Verarbeitung des Pfades der Include-Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code auf dem Server ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-49084"
},
{
"cve": "CVE-2023-49085",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Cacti. Diese Fehler bestehen aufgrund eines SQL Injection Problems in der SNMP Notification Receivers Funktion und in der pollers.php Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-49085"
},
{
"cve": "CVE-2023-51448",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Cacti. Diese Fehler bestehen aufgrund eines SQL Injection Problems in der SNMP Notification Receivers Funktion und in der pollers.php Datei. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Dateien zu manipulieren und beliebigen Code auszuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-51448"
},
{
"cve": "CVE-2023-49086",
"notes": [
{
"category": "description",
"text": "In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in mehrere php-Komponenten nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-49086"
},
{
"cve": "CVE-2023-50569",
"notes": [
{
"category": "description",
"text": "In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in mehrere php-Komponenten nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-50569"
},
{
"cve": "CVE-2023-49088",
"notes": [
{
"category": "description",
"text": "In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in templates_import.php und database nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, authentifiziert Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-49088"
},
{
"cve": "CVE-2023-50250",
"notes": [
{
"category": "description",
"text": "In Cacti existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden in templates_import.php und database nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, authentifiziert Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"2951",
"398363",
"74185"
]
},
"release_date": "2023-12-26T23:00:00.000+00:00",
"title": "CVE-2023-50250"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…