Debian 11: DLA-3884-1 Critical: Cacti XSS and SQL Injection Risks
debian lts
September 9, 2024
Cacti, a web interface for graphing of monitoring systems, was vulnerable
Topics Covered
Summary
CVE-2022-41444
A Cross Site Scripting (XSS) vulnerability was found via crafted
POST request to graphs_new.php.
CVE-2024-25641
An arbitrary file write vulnerability was found, exploitable through
the "Package Import" feature. This vulnerability allowed authenticated
users having the "Import Templates" permission to execute
arbitrary PHP code (RCE) on the web server.
CVE-2024-31443
A Cross Site Scripting (XSS) vulnerabilty was found via crafted request
to data_queries.php file.
CVE-2024-31444
A Cross Site Scripting (XSS) vulnerabilty was found via crafted request
to automation_tree_rules.php file, via automation_tree_rules_form_save()
function.
CVE-2024-31445
A SQL injection vulnerabilty was found in automation_get_new_graphs_sql
function of `api_automation.php` allows authenticated users to exploit
these SQL injection vulnerabilities to perform privilege escalation and
remote code execution.
CVE-2024-31458
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: cacti
Version: 1.2.16+ds1-2+deb11u4
CVE ID: CVE-2022-41444 CVE-2024-25641 CVE-2024-31443 CVE-2024-31444
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!