-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Feb 2025 14:36:48 +0000 Source: cacti Architecture: source Version: 1.2.24+ds1-1+deb12u5 Distribution: bookworm-security Urgency: medium Maintainer: Cacti Maintainer Changed-By: Bastien Roucariès Changes: cacti (1.2.24+ds1-1+deb12u5) bookworm-security; urgency=medium . * Non-maintainer upload by the Security Team. * Fix CVE-2024-27082: Stored XSS vulnerability. * Fix CVE-2024-43362: XSS (Cross-Site Scripting) Vulnerability. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS * Fix CVE-2024-43363: Remote Code Execution (RCE) by log poisoning. An admin user can create a device with a malicious hostname containing php code and repeat the installation process to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. * Fix CVE-2024-43364: Stored XSS (Cross-Site Scripting) Vulnerability. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. * Fix CVE-2024-43365: Stored XSS (Cross-Site Scripting) Vulnerability. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. * Fix CVE-2024-45598: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path. An admin can change Poller Standard Error Log Path parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. * Fix CVE-2024-54145: SQL Injection vulnerability when request automation devices. A SQL injection vulnerability in get_discovery_results function of automation_devices.php.paramter networkconcat into sql_wherewithout Sufficient filtration. * Fix CVE-2025-22604: Authenticated RCE via multi-line SNMP responses Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. * Fix CVE-2025-24367: Arbitrary File Creation leading to RCE An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. * Fix CVE-2025-24368: SQL Injection vulnerability when using tree rules through Automation API Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php ,* finally resulting in SQL injection. Checksums-Sha1: 8b0ded08f8413a199c300c3000ba399cbcddf697 2500 cacti_1.2.24+ds1-1+deb12u5.dsc dddbad3784e15fb61ceb9f0c649e45711d6bf7e3 24226965 cacti_1.2.24+ds1.orig-docs-source.tar.gz 6f258f06289889566b7d6a255b904aae9756d97d 10026982 cacti_1.2.24+ds1.orig.tar.gz 89cd7c2c50c9ee960a0ff4fbad9ad3801e5e3c7c 83448 cacti_1.2.24+ds1-1+deb12u5.debian.tar.xz c5846e7e879805110e9eedbd602c74f4cede3122 6531 cacti_1.2.24+ds1-1+deb12u5_amd64.buildinfo Checksums-Sha256: a4f3d86407d43a9ca1fd0fd5275d5d68687b669bf1764ad89291f3632ae22e66 2500 cacti_1.2.24+ds1-1+deb12u5.dsc 180acdab0fbbbae452bb6f46ad9d406cedcb540967410f71aa69be4a281bb74c 24226965 cacti_1.2.24+ds1.orig-docs-source.tar.gz 4247d8120b0661a2019a0d39f35c6e84cfd4e4161e0791ff233c3e3bd2d571da 10026982 cacti_1.2.24+ds1.orig.tar.gz 2f1cb9f3e23c23bd78aab21c479e1c3c098db2b2182adb6c1a404d06afa53a6b 83448 cacti_1.2.24+ds1-1+deb12u5.debian.tar.xz 5c4d50bbc943a1b07cdc1fc626d5c7633d0e26834303094652329ed33e08e8e6 6531 cacti_1.2.24+ds1-1+deb12u5_amd64.buildinfo Files: ca0826dafde2cbebd697b52bd061927a 2500 web optional cacti_1.2.24+ds1-1+deb12u5.dsc a05d1c5f50554a86fd0eb11f070594a7 24226965 web optional cacti_1.2.24+ds1.orig-docs-source.tar.gz 69cdb0ae5b490a8328e99ad2f161aca6 10026982 web optional cacti_1.2.24+ds1.orig.tar.gz bc9b3a2fb4381dc3992d25d70ca5a0d4 83448 web optional cacti_1.2.24+ds1-1+deb12u5.debian.tar.xz 29182c09e3c050e7768414c3b455f7f6 6531 web optional cacti_1.2.24+ds1-1+deb12u5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmeovvYACgkQADoaLapB CF8h/BAAlE+b7WCZO0efRdMnj0vVNdIQ+/cKdDMpyqd+B8WXGg0auTQeWNVFxR7N SsCsqX1gjgHBHnTy5mYiw4XddqzLnLFSEEhIvEWvTaYkITPeCzH359Gxm4NbbuFG tEPZzvVgFHCKc+BbuCdFs6Ye0XgjH2IWaYljYgWEYxp7sWCZ01lndUOEHYA0dFwv uvsQMRiixSCRmxHMAImQdETKMcoGNjI1NgaT9KUvP0SZC4KUEr5u38C3hjWI4BRY tggjKCaT9lArSWTjj++ZGyiXP/JiROqHxzFR/eZaPPewfPh8Qh0mIepgKDMGh1x3 Xf1meCK/EJE6acHtpYz5TBjsUJH9Wp8RcQxRjnmXcVYPmPMfG7O2qpfauGNofFzK xUhiM1PG7HE0G8yotzga6dFiQMy9SBYCPS2Sm+4sa0wEYSq4Jz3qaHMGQWxO9SlG 9+sJAK0eLX2b5EmAHOOHwCc5TjiPgmqgwkDsx8pOYCB9XinDs3HC7YALclB5XMHC PkU14whC+AS08R8aRf5wALXITvqa8TUMNt0gECjLb8Yf0mUahPPDKJJQBJFdm3fw DtffLHCOxssB/8VhNWxeqFQwMc2/Bqf4b5GVyQcKtoAJbGCageakA1ELIxNXER28 m42skVU5xCLCZ7FDAFlPSJqZIqnbM0d5xIGhrQiwR2ngnzoULGg= =Nh2y -----END PGP SIGNATURE-----