Bugzilla – Bug 837440
VUL-0: CVE-2013-5588 CVE-2013-5589: cacti: XSS and SQL injection vulnerabilities
Last modified: 2018-08-03 22:11:18 UTC
Public via oss-security. Note: Only openSUSE is affected. Date: Sun, 25 Aug 2013 09:44:15 +0200 From: Salvatore Bonaccorso <carnil@debi..> Subject: [oss-security] CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b Three cross-site scripting vulnerabilities were reported in the Cacti Bugtracker at [1]: - Reflected XSS in the "step" parameter of the "/install/index.php" script - Stored XSS in the id parameter in the "/cacti/host.php" script > Use CVE-2013-5588 for both of these XSS issues. - "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. > Use CVE-2013-5589 for this SQL injection issue. Upstream (Cc'ed) has commited r7420[2] and r7421[3] for 0.8.8 and 0.8.9 respectively to fix these issues. [1] http://bugs.cacti.net/view.php?id=2383 [2] http://svn.cacti.net/viewvc?view=rev&revision=7420 [3] http://svn.cacti.net/viewvc?view=rev&revision=7421 ----- From: cve-assign@mitr.. > input_validate_input_number(get_request_var_post("host_template_id")); This code was added to host.php in both 0.8.8 and 0.8.9, but we think that it might be impossible to exploit the host_template_id parameter for either XSS or SQL injection. If there is a usable attack with the host_template_id parameter, please request another CVE ID. Any vulnerability for the host_template_id parameter is not within the scope of either CVE-2013-5588 or CVE-2013-5589.
bugbot adjusting priority
(no bugowner currently set ... assign to current maintainer with others in cc)
https://build.opensuse.org/project/show/home:aeneas_jaissle:branches:OBS_Maintained:cacti
feel free to submit the mr
SR#230430
openSUSE-SU-2014:0600-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 837440,870821,872008 CVE References: CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709 Sources used: openSUSE 13.1 (src): cacti-0.8.8b-4.1 openSUSE 12.3 (src): cacti-0.8.8b-5.8.1, cacti-spine-0.8.8b-4.4.1
Fixed and released. Closing bug.
This is an autogenerated message for OBS integration: This bug (837440) was mentioned in https://build.opensuse.org/request/show/625957 Backports:SLE-12 / cacti
openSUSE-OU-2018:2194-1: An update that fixes 33 vulnerabilities is now available. Category: optional (low) Bug References: 022564,1047512,1048102,1050950,1051633,1054390,1054742,1067163,1067164,1067166,1068028,1101024,1101139,837440,862993,867607,870821,872008,934187,937997,958863,958977,960678,965930,971357,974013 CVE References: CVE-2006-6799,CVE-2007-3112,CVE-2007-3113,CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2327,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709,CVE-2014-4000,CVE-2014-4002,CVE-2014-5025,CVE-2014-5026,CVE-2015-4342,CVE-2015-4634,CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313,CVE-2016-3172,CVE-2016-3659,CVE-2017-10970,CVE-2017-11163,CVE-2017-11691,CVE-2017-12065,CVE-2017-12927,CVE-2017-12978,CVE-2017-15194,CVE-2017-16641,CVE-2017-16660,CVE-2017-16661,CVE-2017-16785 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.1.38-2.1