Bug 2255666 (CVE-2023-49085, CVE-2023-49088, CVE-2023-50250, CVE-2023-51448) - CVE-2023-50250 CVE-2023-49088 CVE-2023-51448 CVE-2023-49085 cacti: Multiple vulnerabilities
Summary: CVE-2023-50250 CVE-2023-49088 CVE-2023-51448 CVE-2023-49085 cacti: Multiple v...
Keywords:
Status: NEW
Alias: CVE-2023-49085, CVE-2023-49088, CVE-2023-50250, CVE-2023-51448
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255667 2255668
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-22 21:08 UTC by Patrick Del Bello
Modified: 2024-01-25 07:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Patrick Del Bello 2023-12-22 21:08:08 UTC
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.

https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/templates_import.php
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73


Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.

https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/data_debug.php
https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h
https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x

Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.

https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/managers.php#L941
https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594

Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.

https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/pollers.php#L451
https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855

Comment 1 Patrick Del Bello 2023-12-22 21:08:24 UTC
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 2255668]
Affects: fedora-all [bug 2255667]

Comment 2 Maryann Manning 2024-01-25 07:30:55 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle. Changing version to 37.
Source: https://tiny-fishing.com


Note You need to log in before you can comment on or make changes to this bug.