Executive Summary
Summary | |
---|---|
Title | New cacti packages fix regression |
Informations | |||
---|---|---|---|
Name | DSA-1569 | First vendor Publication | 2008-05-05 |
Vendor | Debian | Last vendor Modification | 2008-07-15 |
Severity (Vendor) | N/A | Revision | 3 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Since the previous security update, the cacti package could no longer be rebuilt from the source package. This update corrects that problem. Note that this problem does not affect regular use of the provided binary packages (.deb). For reference the original advisory text follows. It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible. For the stable distribution (etch), this problem has been fixed in version 0.8.6i-3.5. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1569 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20240 | |||
Oval ID: | oval:org.mitre.oval:def:20240 | ||
Title: | DSA-1569-1 cacti - multiple vulnerabilities | ||
Description: | It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1569-1 CVE-2008-0783 CVE-2008-0785 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | cacti |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7735 | |||
Oval ID: | oval:org.mitre.oval:def:7735 | ||
Title: | DSA-1569 cacti -- insufficient input sanitising | ||
Description: | It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1569 CVE-2008-0783 CVE-2008-0785 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | cacti |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-05-28 | Name : Cacti Multiple Input Validation Vulnerabilities File : nvt/cacti_27749.nasl |
2009-05-16 | Name : Cacti 'data_input.php' Cross Site Scripting Vulnerability File : nvt/cacti_34991.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-18 (cacti) File : nvt/glsa_200803_18.nasl |
2008-08-15 | Name : Debian Security Advisory DSA 1569-3 (cacti) File : nvt/deb_1569_3.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1569-2 (cacti) File : nvt/deb_1569_2.nasl |
2008-05-12 | Name : Debian Security Advisory DSA 1569-1 (cacti) File : nvt/deb_1569_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41785 | Cacti index.php/sql.php Login Action login_username Parameter SQL Injection |
41784 | Cacti graph_xport.php local_graph_id Parameter SQL Injection |
41783 | Cacti tree.php Multiple Parameter SQL Injection |
41782 | Cacti index.php/login Multiple Parameter XSS |
41781 | Cacti graph_view.php filter Parameter XSS |
41740 | Cacti graph.php view_type Parameter XSS |
41739 | Cacti graph_view.php graph_list Parameter SQL Injection Cacti contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'graph_view.php' script not properly sanitizing user-supplied input to the 'graph_list' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-05-09 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1569.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-18.nasl - Type : ACT_GATHER_INFO |
2008-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1699.nasl - Type : ACT_GATHER_INFO |
2008-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1737.nasl - Type : ACT_GATHER_INFO |
2008-02-13 | Name : The remote web server contains a PHP script that is susceptible to a SQL inje... File : cacti_login_username_sql_injection.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:37 |
|