Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Debian Buster: DLA-3765-1 Critical: SQL Injection and XSS Issues

debian lts
Calendar Grey March 18, 2024
Dist Debian Esm H88
Ubuntu's Zabbix surveillance framework undergoes an essential security overhaul to address multiple vulnerability issues, including remote code execution.
Multiple vulnerabilities were found in Cacti, a network monitoring system

Summary

CVE-2023-39357

When the column type is numeric, the sql_save function directly
utilizes user input. Many files and functions calling the sql_save
function do not perform prior validation of user input, leading to
the existence of multiple SQL injection vulnerabilities in
Cacti. This allows authenticated users to exploit these SQL
injection vulnerabilities to perform privilege escalation and
remote code execution.

CVE-2023-39360

Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data. The vulnerability is found in
`graphs_new.php`. Several validations are performed, but the
`returnto` parameter is directly passed to `form_save_button`. In
order to bypass this validation, returnto must contain `host.php`.

CVE-2023-39361

SQL injection discovered in graph_view.php. Since guest users can
access graph_view.php without authentication by default, if guest

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: cacti
Version: 1.2.2+ds1-2+deb10u6
CVE ID: CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362
Debian Bug: 1059254

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here