[arch-security] [ASA-201605-14] cacti: sql injection
Remi Gacogne
rgacogne at archlinux.org
Tue May 10 17:59:32 UTC 2016
Arch Linux Security Advisory ASA-201605-14
==========================================
Severity: Medium
Date : 2016-05-10
CVE-ID : CVE-2016-3659
Package : cacti
Type : sql injection
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package cacti before version 0.8.8_h-1 is vulnerable to sql injection.
Resolution
==========
Upgrade to 0.8.8_h-1.
# pacman -Syu "cacti>=0.8.8_h-1"
The problem has been fixed upstream in version 0.8.8h.
Workaround
==========
None.
Description
===========
A SQL injection vulnerability has been found in cacti, in the the
host_group_data parameter of the graph_view.php file.
Impact
======
A remote authenticated attacker can execute arbitrary SQL command on the
affected host.
References
==========
http://bugs.cacti.net/view.php?id=2673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160510/7d751b6b/attachment.asc>
More information about the arch-security
mailing list