The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Cacti: multiple vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Cacti.
Vulnerable products: Cacti, Debian, Fedora, openSUSE.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/08/2013.
Références of this bulletin: 2383, BID-62001, BID-62005, CVE-2013-5588, CVE-2013-5589, DSA-2747-1, FEDORA-2013-15444, FEDORA-2013-15466, MDVSA-2013:228, openSUSE-SU-2014:0600-1, VIGILANCE-VUL-13314.

Description of the vulnerability 

Several vulnerabilities were announced in Cacti.

An attacker can trigger a Cross Site Scripting in "/install/index.php", in order to execute JavaScript code in the context of the web site. [severity:2/4; BID-62001, CVE-2013-5588]

An attacker can trigger a Cross Site Scripting in "/cacti/host.php", in order to execute JavaScript code in the context of the web site. [severity:2/4; BID-62001, CVE-2013-5588]

An attacker can use a SQL injection in "/cacti/host.php", in order to read or alter data. [severity:2/4; BID-62005, CVE-2013-5589]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security announce impacts software or systems such as Cacti, Debian, Fedora, openSUSE.

Our Vigil@nce team determined that the severity of this threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

An attacker with a expert ability can exploit this computer vulnerability announce.

Solutions for this threat 

Cacti: version 0.8.8c.
The version 0.8.8c is fixed:
  http://www.cacti.net/download_cacti.php

Cacti: patch for XSS/SQLI.
A patch is available:
  http://svn.cacti.net/viewvc?view=rev&revision=7420
  http://svn.cacti.net/viewvc?view=rev&revision=7421

Debian: new cacti packages.
New packages are available:
  cacti 0.8.7g-1+squeeze3
  cacti 0.8.8a+dfsg-5+deb7u2

Fedora: new cacti packages.
New packages are available:
  cacti-0.8.8b-2.fc18
  cacti-0.8.8b-2.fc19

Mandriva: new cacti packages.
New packages are available:
  cacti-0.8.8b-0.2mdvmes5.2

openSUSE: new cacti packages.
New packages are available:
  openSUSE 12.3: cacti 0.8.8b-5.8.1
  openSUSE 13.1: cacti 0.8.8b-4.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security watch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.