cacti - Debian Package Tracker

general

source: cacti (main)
version: 1.2.30+ds1-1
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.2.16+ds1-2+deb11u3
old-sec: 1.2.16+ds1-2+deb11u5
stable: 1.2.24+ds1-1+deb12u5
stable-sec: 1.2.24+ds1-1+deb12u5
testing: 1.2.30+ds1-1
unstable: 1.2.30+ds1-1

versioned links

1.2.16+ds1-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.24+ds1-1+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.30+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (1 bugs: 0, 1, 0, 0)

action needed

12 security issues in buster high

There are 12 open security issues in buster.

10 important issues:

CVE-2024-25641: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
CVE-2024-27082: Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.
CVE-2024-29894: Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
CVE-2024-31443: Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
CVE-2024-31444: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
CVE-2024-31445: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
CVE-2024-31458: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.
CVE-2024-31459: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
CVE-2024-31460: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
CVE-2024-34340: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.

2 ignored issues:

CVE-2023-30534: Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37543: Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.

Created: 2024-05-14 Last update: 2024-06-29 13:15

Depends on packages which need a new maintainer normal

The packages that cacti depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2025-07-20 14:01

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-04-10 Last update: 2025-04-10 00:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-46490: (needs triaging) SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

You can find information about how to handle this issue in the security team's documentation.

1 ignored issue:

CVE-2023-30534: Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Created: 2023-08-17 Last update: 2025-04-07 06:32

debian/patches: 5 patches to forward upstream low

Among the 8 debian patches available in version 1.2.30+ds1-1 of the package, we noticed the following issues:

5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-04-05 23:55

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-04-05 19:26

news

[rss feed]

[2025-04-07] cacti 1.2.30+ds1-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted cacti 1.2.30+ds1-1 (source) into unstable (Paul Gevers)
[2025-02-16] Accepted cacti 1.2.24+ds1-1+deb12u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2025-02-10] Accepted cacti 1.2.16+ds1-2+deb11u5 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-02-10] Accepted cacti 1.2.24+ds1-1+deb12u5 (source) into stable-security (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2025-02-01] cacti 1.2.28+ds1-4 MIGRATED to testing (Debian testing watch)
[2025-01-29] Accepted cacti 1.2.28+ds1-4 (source) into unstable (Paul Gevers)
[2024-12-15] cacti 1.2.28+ds1-3 MIGRATED to testing (Debian testing watch)
[2024-12-12] Accepted cacti 1.2.28+ds1-3 (source) into unstable (Paul Gevers)
[2024-10-14] cacti 1.2.28+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted cacti 1.2.28+ds1-2 (source) into unstable (Paul Gevers)
[2024-10-11] Accepted cacti 1.2.28+ds1-1 (source) into unstable (Paul Gevers)
[2024-09-09] Accepted cacti 1.2.16+ds1-2+deb11u4 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-08-25] Accepted cacti 1.2.24+ds1-1+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-08-23] Accepted cacti 1.2.24+ds1-1+deb12u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-05-20] cacti 1.2.27+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-05-20] cacti 1.2.27+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-05-17] Accepted cacti 1.2.27+ds1-2 (source) into unstable (Paul Gevers)
[2024-05-16] Accepted cacti 1.2.27+ds1-1 (source) into unstable (Paul Gevers)
[2024-03-25] Accepted cacti 1.2.16+ds1-2+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.24+ds1-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.24+ds1-1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-24] Accepted cacti 1.2.16+ds1-2+deb11u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Sylvain Beucler)
[2024-03-18] Accepted cacti 1.2.2+ds1-2+deb10u6 (source) into oldoldstable (Sylvain Beucler)
[2023-12-28] cacti 1.2.26+ds1-1 MIGRATED to testing (Debian testing watch)
[2023-12-25] Accepted cacti 1.2.26+ds1-1 (source) into unstable (Paul Gevers)
[2023-11-12] Accepted cacti 1.2.24+ds1-1+deb12u1 (source all) into proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-12] Accepted cacti 1.2.16+ds1-2+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-08] Accepted cacti 1.2.16+ds1-2+deb11u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Paul Gevers)
[2023-11-08] Accepted cacti 1.2.24+ds1-1+deb12u1 (source all) into stable-security (Debian FTP Masters) (signed by: Paul Gevers)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 6)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (94, 96)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.30+ds1-1ubuntu1
10 bugs
patches for 1.2.30+ds1-1ubuntu1