Arch Linux Security Advisory ASA-201602-24 ========================================== Severity: High Date : 2016-02-28 CVE-ID : CVE-2015-8604 CVE-2015-8377 CVE-2015-8369 Package : cacti Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package cacti before version 0.8.8_g-2 is vulnerable to sql injection. Resolution ========== Upgrade to 0.8.8_g-2. # pacman -Syu "cacti>=0.8.8_g-2" The problem has been fixed upstream in version 0.8.8_g. Workaround ========== None. Description =========== - CVE-2015-8604 (sql injection) SQL injection in graphs_new.php. - CVE-2015-8377 (sql injection) SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php. - CVE-2015-8369 (sql injection) SQL injection in graph.php. Impact ====== A remote attacker is able to get access to the cacti database. References ========== http://www.openwall.com/lists/oss-security/2016/01/04/8 https://bugs.mageia.org/show_bug.cgi?id=17352 http://www.cacti.net/release_notes_0_8_8g.php