Source: cacti Version: 1.2.8+ds1-1 Severity: important Tags: security upstream Forwarded: https://github.com/Cacti/cacti/issues/3201
Hi, The following vulnerability was published for cacti. CVE-2020-7237[0]: | Cacti 1.2.8 allows Remote Code Execution (by privileged users) via | shell metacharacters in the Performance Boost Debug Log field of | poller_automation.php. OS commands are executed when a new poller | cycle begins. The attacker must be authenticated, and must have access | to modify the Performance Settings of the product. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7237 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7237 [1] https://github.com/Cacti/cacti/issues/3201 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
