Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Titlecacti regression
Informations
NameDSA-2384First vendor Publication2012-01-09
VendorDebianLast vendor Modification2012-02-04
Severity (Vendor) N/ARevision2

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that the last security update for cacti, DSA-2384-1, introduced a regression in lenny.

For the oldstable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny5.

The stable distribution (squeeze) is not affected by this regression.

We recommend that you upgrade your cacti packages.

Original Source

Url : http://www.debian.org/security/2012/dsa-2384

CWE : Common Weakness Enumeration

idName
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15413
 
Oval ID: oval:org.mitre.oval:def:15413
Title: DSA-2384-1 cacti -- several
Description: Several vulnerabilities have been discovered in cacti, a graphing tool for monitoring data. Multiple cross site scripting issues allow remote attackers to inject arbitrary web script or HTML. An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.
Family: unix Class: patch
Reference(s): DSA-2384-1
CVE-2010-1644
CVE-2010-1645
CVE-2010-2543
CVE-2010-2545
CVE-2011-4824
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): cacti
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15384
 
Oval ID: oval:org.mitre.oval:def:15384
Title: DSA-2384-2 cacti -- several
Description: It was discovered that the last security update for cacti, DSA-2384-1, introduced a regression in lenny.
Family: unix Class: patch
Reference(s): DSA-2384-2
CVE-2010-1644
CVE-2010-1645
CVE-2010-2543
CVE-2010-2545
CVE-2011-4824
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): cacti
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application39

OpenVAS Exploits

DateDescription
2012-02-12Name : Debian Security Advisory DSA 2384-2 (cacti)
File : nvt/deb_2384_2.nasl
2012-02-11Name : Debian Security Advisory DSA 2384-1 (cacti)
File : nvt/deb_2384_1.nasl
2012-01-23Name : Mandriva Update for cacti MDVSA-2012:010 (cacti)
File : nvt/gb_mandriva_MDVSA_2012_010.nasl
2011-11-15Name : Cacti Unspecified SQL Injection and Cross Site Scripting Vulnerabilities
File : nvt/gb_cacti_50671.nasl
2010-08-30Name : Cacti Cross Site Scripting and HTML Injection Vulnerabilities
File : nvt/gb_cacti_42575.nasl
2010-08-30Name : Mandriva Update for cacti MDVSA-2010:160 (cacti)
File : nvt/gb_mandriva_MDVSA_2010_160.nasl
2010-05-25Name : Cacti Multiple Cross Site Scripting Vulnerabilities
File : nvt/gb_cacti_40332.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
77097Cacti auth_login.php login_username Parameter SQL Injection
67529Cacti user_admin.php Unspecified Parameter XSS
67528Cacti tree.php Unspecified Parameter XSS
67527Cacti rra.php Unspecified Parameter XSS
67526Cacti lib/rrd.php Unspecified Parameter XSS
67525Cacti lib/html_tree.php Unspecified Parameter XSS
67524Cacti lib/html.php Unspecified Parameter XSS
67523Cacti lib/html_form_template.php Unspecified Parameter XSS
67522Cacti lib/html_form.php Unspecified Parameter XSS
67521Cacti lib/functions.php Unspecified Parameter XSS
67520Cacti host_templates.php Unspecified Parameter XSS
67519Cacti host.php Unspecified Parameter XSS
67518Cacti graph_view.php Unspecified Parameter XSS
67517Cacti graph_templates.php Unspecified Parameter XSS
67516Cacti graph_templates_items.php Unspecified Parameter XSS
67515Cacti graph_templates_inputs.php Unspecified Parameter XSS
67514Cacti graphs.php Unspecified Parameter XSS
67513Cacti graphs_new.php Unspecified Parameter XSS
67512Cacti graph.php Unspecified Parameter XSS
67511Cacti gprint_presets.php Unspecified Parameter XSS
67510Cacti data_templates.php Unspecified Parameter XSS
67509Cacti data_sources.php Unspecified Parameter XSS
67508Cacti data_queries.php Unspecified Parameter XSS
67507Cacti data_input.php Unspecified Parameter XSS
67506Cacti cdef.php Unspecified Parameter XSS
67505Cacti templates_import.php XML Template name Element XSS
67369Cacti data_sources.php host_id Parameter XSS
65014Cacti host.php Multiple Parameter XSS
63972Cacti Multiple Function Hostname Editing Arbitrary Shell Command Execution
60566Cacti graph.php Multiple Parameter XSS

Nessus® Vulnerability Scanner

DateDescription
2014-01-22Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201401-20.nasl - Type : ACT_GATHER_INFO
2012-01-20Name : A web application hosted on the remote web server has multiple cross-site scr...
File : cacti_087g.nasl - Type : ACT_GATHER_INFO
2012-01-12Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2384.nasl - Type : ACT_GATHER_INFO
2011-11-14Name : The remote Fedora host is missing a security update.
File : fedora_2011-15032.nasl - Type : ACT_GATHER_INFO
2011-11-14Name : The remote Fedora host is missing a security update.
File : fedora_2011-15071.nasl - Type : ACT_GATHER_INFO
2011-11-14Name : The remote Fedora host is missing a security update.
File : fedora_2011-15110.nasl - Type : ACT_GATHER_INFO
2010-05-04Name : A web application hosted on the remote web server has multiple vulnerabilities.
File : cacti_087e.nasl - Type : ACT_GATHER_INFO
2010-02-24Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1954.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 11:30:43
  • Multiple Updates
2013-05-11 00:44:15
  • Multiple Updates