Summary
Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u3.
For the testing distribution (jessie), these problems have been fixed in version 0.8.8b+dfsg-6.
For the unstable distribution (sid), these problems have been fixed in version 0.8.8b+dfsg-6.
We recommend that you upgrade your cacti packages.
Insight
Cacti is a complete PHP-driven front-end for RRDTool. It stores all of the necessary data source information to create graphs, handles the data gathering, and populates the MySQL database with round-robin archives.
It also includes SNMP support for those used to creating traffic graphs with MRTG.
Affected
cacti on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-2326, CVE-2014-2327, CVE-2014-2328, CVE-2014-2708, CVE-2014-2709, CVE-2014-4002 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities