-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 29 Mar 2022 10:32:32 +0200 Source: cacti Binary: cacti Architecture: source Version: 0.8.8h+ds1-10+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: cacti - web interface for graphing of monitoring systems Closes: 926700 949996 Changes: cacti (0.8.8h+ds1-10+deb9u2) stretch-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2018-10060: Cacti has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. * CVE-2018-10061: Cacti has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). * CVE-2019-11025: no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. (Closes: #926700) * CVE-2020-7106: Cacti has stored XSS in multiple files as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). (Closes: #949996) * CVE-2020-13230: disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). * CVE-2020-23226: Multiple Cross Site Scripting (XSS) vulnerabilities exist in multiple files. * CVE-2021-23225: Cacti allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. * CVE-2022-0730: under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. Checksums-Sha1: da6347b074be2f67d561b301b78d4d9db4dd1652 2011 cacti_0.8.8h+ds1-10+deb9u2.dsc ab1f485fde4c570e0e10338e73113a4568c5d806 57156 cacti_0.8.8h+ds1-10+deb9u2.debian.tar.xz d88c18a1a0822f9059f5a4d74719f4a4cc12ed25 5626 cacti_0.8.8h+ds1-10+deb9u2_all.buildinfo Checksums-Sha256: b311b9811f10980141b69d26ba879a24c9586c19eab7b8c48dd3119705524c2b 2011 cacti_0.8.8h+ds1-10+deb9u2.dsc a9a911f5211a755a89c874f412804636f352ea100403e535a21078e7b29caf99 57156 cacti_0.8.8h+ds1-10+deb9u2.debian.tar.xz f2ee385d73c131a7f5754b8cb4a69cc6851422936e4fee474bb71ee96cee43f5 5626 cacti_0.8.8h+ds1-10+deb9u2_all.buildinfo Files: 0587788e7ed0424c0d2dd42d399380d5 2011 web extra cacti_0.8.8h+ds1-10+deb9u2.dsc 1739e48f615bbd9577496f6623a819a8 57156 web extra cacti_0.8.8h+ds1-10+deb9u2.debian.tar.xz 9d7fa41a8b55404295ad0278b792b670 5626 web extra cacti_0.8.8h+ds1-10+deb9u2_all.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmJDNyMACgkQDTl9HeUl XjDLTQ//TBK9KTYNo811NIXh2N325pkY8G4zRvAcbSsREkanw7idLipIbbvMaZ22 B2AEvojmg+CN3yk9G0JYDzfd+rSV0koEtAhTxP7n9gjyI/Tiq2bV97cQah3bF0+2 f89V1mG8SZg8greaBV0NwH0Z5ih9hW68DFlsxh8jyWNxYl2WF9NrhcaWLCJYm61z fiKqB/ncCd08bwUflXgSZj8m95VUBh/UEHFZScXAKRencoMb/gHuQq6cRX4BBPTm zoBgKWqV9bDbF345BWFaSmKo5Oqopd5AI9U/JO32JlkXCFu8anBqrOYbqIQF77Wc ULPrVdRwx+vY+FHziQhxhsYphqjxPKAbhvSLC0fwKe9R+zizKhcprX+X5TL9hI/0 kHsxSEZk4uilz16nr/Cmv0f5IYPCRgxzTtalFpitKJNRDa8yHbCAUMzGA/aLeEY9 JAU7JAr1g+CpP7s11mEmkLRsmMtr0fQiuOZhu3/g8lNqtHkdb0VyB12UvhFuxCfv BNwKsV7j9gAnOKeDadYmPGIb1uSC/h4KOaVHWrGYje1Ju0cFG3I+o3wVlM1ZtzzZ al5Y6XwIqH0LuSAPaxxsmzWi1YZpH9cBDhIIahcxdeP8Zk66ppekqrJWTQKjurrq EH1Ts7U5QhVaR9ZcGoGf5Z/11/qrfzsq/bPiIqSv+datX++uFe0= =Jxv3 -----END PGP SIGNATURE-----