Test ID:	1.3.6.1.4.1.25623.1.0.892965
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-2965-1)
Summary:	The remote host is missing an update for the Debian 'cacti' package(s) announced via the DLA-2965-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'cacti' package(s) announced via the DLA-2965-1 advisory. Vulnerability Insight: Multiple vulnerabilities were discovered in Cacti, a web interface for graphing of monitoring systems, leading to authentication bypass and cross-site scripting (XSS). An attacker may get access to unauthorized areas and impersonate other users, under certain conditions. CVE-2018-10060 Cacti has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. CVE-2018-10061 Cacti has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). CVE-2019-11025 No escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. CVE-2020-7106 Cacti has stored XSS in multiple files as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). CVE-2020-13230 Disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). CVE-2020-23226 Multiple Cross Site Scripting (XSS) vulnerabilities exist in multiple files. CVE-2021-23225 Cacti allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the new_username field during creation of a new user via Copy method at user_admin.php. CVE-2022-0730 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. For Debian 9 stretch, these problems have been fixed in version 0.8.8h+ds1-10+deb9u2. We recommend that you upgrade your cacti packages. For the detailed security status of cacti please refer to its security tracker page at: [link moved to references] Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'cacti' package(s) on Debian 9. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2018-10060 https://github.com/Cacti/cacti/issues/1457 https://www.cacti.net/changelog.php https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html http://www.securitytracker.com/id/1040620 Common Vulnerability Exposure (CVE) ID: CVE-2018-10061 Common Vulnerability Exposure (CVE) ID: CVE-2019-11025 https://github.com/Cacti/cacti/compare/6ea486a...99995bb https://github.com/Cacti/cacti/issues/2581 https://lists.debian.org/debian-lts-announce/2019/04/msg00017.html Common Vulnerability Exposure (CVE) ID: CVE-2020-13230 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3PCDGNELH7HEBIXRNT5J5EWQEXQAU6B/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICJMWSY77IIGZYR6FE6NAQZFBO42VECO/ https://github.com/Cacti/cacti/issues/3343 https://github.com/Cacti/cacti/releases/tag/release%2F1.2.11 Common Vulnerability Exposure (CVE) ID: CVE-2020-23226 https://github.com/Cacti/cacti/issues/3549 https://lists.debian.org/debian-lts-announce/2022/12/msg00039.html Common Vulnerability Exposure (CVE) ID: CVE-2020-7106 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/ https://security.gentoo.org/glsa/202003-40 https://github.com/Cacti/cacti/issues/3191 https://lists.debian.org/debian-lts-announce/2020/01/msg00014.html SuSE Security Announcement: openSUSE-SU-2020:0272 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html SuSE Security Announcement: openSUSE-SU-2020:0284 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html SuSE Security Announcement: openSUSE-SU-2020:0558 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html SuSE Security Announcement: openSUSE-SU-2020:0565 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html SuSE Security Announcement: openSUSE-SU-2020:0654 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00032.html Common Vulnerability Exposure (CVE) ID: CVE-2021-23225 [debian-lts-announce] 20220329 [SECURITY] [DLA 2965-1] cacti security update https://www.cacti.net/info/changelog Common Vulnerability Exposure (CVE) ID: CVE-2022-0730 DSA-5298 https://www.debian.org/security/2022/dsa-5298 FEDORA-2022-6a7e259e15 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZJERS4NYIGJUXEGT6ATUQA4CBYBRDLRA/ FEDORA-2022-70f5c7ff72 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZH67CCORDEYFG7NL7G6UH47PAV2PU7BA/ FEDORA-2022-e619e3d5d0 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVOALVZSCBFNOAAZVHTJFSFB7UDSNYQ2/ [debian-lts-announce] 20221231 [SECURITY] [DLA 3252-1] cacti security update https://github.com/Cacti/cacti/issues/4562
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.