Source: cacti Version: 1.2.9+ds1-1 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerability was published for cacti. CVE-2020-8813[0]: | graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute | arbitrary OS commands via shell metacharacters in a cookie, if a guest | user has the graph real-time privilege. Is said to the reporter that upstream is aware and did already fix it, do you have reference to the upstream commit? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8813 [1] https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129 [2] https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
