-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 Aug 2024 17:28:54 +0000 Source: cacti Architecture: source Version: 1.2.24+ds1-1+deb12u3 Distribution: bookworm Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Changes: cacti (1.2.24+ds1-1+deb12u3) bookworm; urgency=medium . * Non-maintainer upload by the LTS Security Team. * Fix CVE-2024-25641: RCE vulnerability when importing packages An arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server (RCE). * Fix CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API. raise_message_javascript from lib/functions.php now uses purify.js to fix CVE-2023-50250 (among others). However it still generates the code out of unescaped PHP variables $title and $header. If those variables contain single quotes, they can be used to inject JavaScript code. * Fix CVE-2024-31443. XSS vulnerability when managing data queries Some of the data stored in form_save() function in data_queries.php is not thoroughly checked and is used to concatenate the HTML statement in grow_right_pane_tree() function from lib/html.php, finally resulting in XSS. * Fix CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API. Some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in XSS. * Fix CVE-2024-31445: SQL injection vulnerability A SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it * Fix CVE-2024-31458: SQL injection vulnerability Some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection * Fix CVE-2024-31459: Remote code execution There is a file inclusion issue in the lib/plugin.php file. Combined with SQL injection vulnerabilities, RCE can be implemented. * Fix CVE-2024-31460: SQL code injection Some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing * Fix CVE-2024-34340: type juggling vulnerability Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. Checksums-Sha1: 069a8fa94557406489587cea4efe462a6f7b05f3 2525 cacti_1.2.24+ds1-1+deb12u3.dsc dddbad3784e15fb61ceb9f0c649e45711d6bf7e3 24226965 cacti_1.2.24+ds1.orig-docs-source.tar.gz 6f258f06289889566b7d6a255b904aae9756d97d 10026982 cacti_1.2.24+ds1.orig.tar.gz 52f31542ea3dcd638ea141e2ea05ed39f6686171 76688 cacti_1.2.24+ds1-1+deb12u3.debian.tar.xz 6eb6844f6669b8e20bc8887685348c9ef1f9f79b 6555 cacti_1.2.24+ds1-1+deb12u3_amd64.buildinfo Checksums-Sha256: 89daf59fce73dd7a1165bdd6d87ebcd4dfb561934b55d67507aba92f00b7a115 2525 cacti_1.2.24+ds1-1+deb12u3.dsc 180acdab0fbbbae452bb6f46ad9d406cedcb540967410f71aa69be4a281bb74c 24226965 cacti_1.2.24+ds1.orig-docs-source.tar.gz 4247d8120b0661a2019a0d39f35c6e84cfd4e4161e0791ff233c3e3bd2d571da 10026982 cacti_1.2.24+ds1.orig.tar.gz bbea5ad64533693b50d066c9521b82e446865306f567d71b1653148b392a8405 76688 cacti_1.2.24+ds1-1+deb12u3.debian.tar.xz 6dadceca4c276bae10a18d2b3268dfb8d516ff8d1bcc0e302f12f7959c45aa1a 6555 cacti_1.2.24+ds1-1+deb12u3_amd64.buildinfo Files: 3130c771af7bcd1cf13dca5cc2314db5 2525 web optional cacti_1.2.24+ds1-1+deb12u3.dsc a05d1c5f50554a86fd0eb11f070594a7 24226965 web optional cacti_1.2.24+ds1.orig-docs-source.tar.gz 69cdb0ae5b490a8328e99ad2f161aca6 10026982 web optional cacti_1.2.24+ds1.orig.tar.gz b3e2a13e9386b6b1e663afe53875107a 76688 web optional cacti_1.2.24+ds1-1+deb12u3.debian.tar.xz 822c1af23792157b5c29caa6c8ddd444 6555 web optional cacti_1.2.24+ds1-1+deb12u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmbHnf8RHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF9zdw/+KW8HUM5sFbAVybWClod+a/kY9VF27UU1 O2ROOt4FBPKFidNr9TyaJssvuX746m4Dh/5HFhywsbFxc9hQHZSuNd+uXll9+GuR FWADPmkc/1QV9rpczd4Igbib30+zyqebbC+dx5KialMNELbk/S/BfYK3DMz4KiO5 J8659SUswX+woLGiSU095DpH+1vNVT7P1G2UDe3C1xXVRR+5wGThKXiIWr1WcMfK DvHKE/De9jy8jcKmmW0LfFvl8eMJjlUI3F46Vxz3XU6BH44IVaFLcny7liehqejk JhE10PzjjI95fDIxZo2C46VG7gQ2FpQ5roR27IemCZIAeES28iSpLohGg8p+593C BovAMyicQ0ZRVZVeV/60e7ebyfXbcYhKfy1q1dXnW1iASC1clROT5t+eL4pr0qAk PEMXWPMhZ4G6yT1JCvmMdjtj792v92Ggy+RKt6i9j7DuYvzIrnMpKCulKN7W7igt 8S2DT9k3Mf+uEmTLjFSd5dOI/xE9hCaTG3UyBKYonUvC436OEfw6os2al4pahVnX yZWqsuGYCQvwvT4pYKv+BJlnDWA9WTD0xIJzZgEiws0Uvl5jt8a2nhLtuBo/Kiim J9uFrMLoVxzPDVExsrkFml4H6x6bqo/Rr4RPwiRyxcAmh767pXnwslcbT+NU1GMc NpPZd/Csf3I= =oBNp -----END PGP SIGNATURE-----
