ALT Linux Team

Package cacti update in sisyphus_riscv64 on 2025-03-05

ALT-PU-2025-3893-1

Package cacti updated to version 1.2.29-alt1 for branch sisyphus_riscv64.

Closed vulnerabilities

Published: 2025-01-26

BDU:2025-00856

Уязвимость функций ss_net_snmp_disk_io() и ss_net_snmp_disk_bytes() программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References:
Published: 2025-01-26

BDU:2025-00976

Уязвимость функции get_discovery_results() программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (6.3) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2025-01-26

BDU:2025-00977

Уязвимость сценария host_templates.php программного средства мониторинга сети Cacti, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (7.6) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
References:
Published: 2024-08-26

BDU:2025-01037

Уязвимость веб-интерфейса программного средства мониторинга сети Cacti, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (6.0) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
References:
Published: 2025-02-12

BDU:2025-02172

Уязвимость функции шаблона в host_templates.php программного средства мониторинга сети Cacti, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: HIGH (7.6) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
References:
Published: 2025-01-27
Modified: 2025-03-04

CVE-2024-45598

Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29.

Severity: MEDIUM (4.9) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2025-01-27
Modified: 2025-03-04

CVE-2024-54145

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the get_discovery_results function of automation_devices.php using the network parameter. This vulnerability is fixed in 1.2.29.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-01-27
Modified: 2025-03-04

CVE-2024-54146

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-01-27
Modified: 2025-03-04

CVE-2025-22604

Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.

Severity: HIGH (7.2) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-02-12

CVE-2025-26520

Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top