Source: cacti Version: 1.2.28+ds1-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for cacti. CVE-2024-45598[0]: | Cacti is an open source performance and fault management framework. | Prior to 1.2.29, an administrator can change the `Poller Standard | Error Log Path` parameter in either Installation Step 5 or in | Configuration->Settings->Paths tab to a local file inside the | server. Then simply going to Logs tab and selecting the name of the | local file will show its content on the web UI. This vulnerability | is fixed in 1.2.29. CVE-2024-54145[1]: | Cacti is an open source performance and fault management framework. | Cacti has a SQL injection vulnerability in the get_discovery_results | function of automation_devices.php using the network parameter. This | vulnerability is fixed in 1.2.29. CVE-2024-54146[2]: | Cacti is an open source performance and fault management framework. | Cacti has a SQL injection vulnerability in the template function of | host_templates.php using the graph_template parameter. This | vulnerability is fixed in 1.2.29. CVE-2025-22604[3]: | Cacti is an open source performance and fault management framework. | Due to a flaw in multi-line SNMP result parser, authenticated users | can inject malformed OIDs in the response. When processed by | ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each | OID will be used as a key in an array that is used as part of a | system command, causing a command execution vulnerability. This | vulnerability is fixed in 1.2.29. CVE-2025-24367[4]: | Cacti is an open source performance and fault management framework. | An authenticated Cacti user can abuse graph creation and graph | template functionality to create arbitrary PHP scripts in the web | root of the application, leading to remote code execution on the | server. This vulnerability is fixed in 1.2.29. CVE-2025-24368[5]: | Cacti is an open source performance and fault management framework. | Some of the data stored in automation_tree_rules.php is not | thoroughly checked and is used to concatenate the SQL statement in | build_rule_item_filter() function from lib/api_automation.php, | resulting in SQL injection. This vulnerability is fixed in 1.2.29. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. Commits are found in the security-tracker references directly. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45598 https://www.cve.org/CVERecord?id=CVE-2024-45598 [1] https://security-tracker.debian.org/tracker/CVE-2024-54145 https://www.cve.org/CVERecord?id=CVE-2024-54145 [2] https://security-tracker.debian.org/tracker/CVE-2024-54146 https://www.cve.org/CVERecord?id=CVE-2024-54146 [3] https://security-tracker.debian.org/tracker/CVE-2025-22604 https://www.cve.org/CVERecord?id=CVE-2025-22604 [4] https://security-tracker.debian.org/tracker/CVE-2025-24367 https://www.cve.org/CVERecord?id=CVE-2025-24367 [5] https://security-tracker.debian.org/tracker/CVE-2025-24368 https://www.cve.org/CVERecord?id=CVE-2025-24368 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
