Alpine: multiple cacti packages: security update to 1.2.13-r0

high Tenable Cloud Security Plugin ID 403768

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
execute untrusted code. This problem is patched in jQuery 3.5.0. (CVE-2020-11022)

- In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option>
elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods
(i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
(CVE-2020-11023)

- PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a
double quote character. This can result in the file type being misinterpreted by the receiver or any mail
relay processing the message. (CVE-2020-13625)

- A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter.
This can lead to remote command execution because the product accepts stacked queries. (CVE-2020-14295)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-11022

https://security.alpinelinux.org/vuln/CVE-2020-11023

https://security.alpinelinux.org/vuln/CVE-2020-13625

https://security.alpinelinux.org/vuln/CVE-2020-14295

Plugin Details

Severity: High

ID: 403768

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

Percentile: 96.42

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-14295

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2020-13625

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/29/2020

CISA Known Exploited Vulnerability Due Dates: 2/13/2025

Exploitable With

Metasploit (Cacti color filter authenticated SQLi to RCE)

Reference Information

CVE: CVE-2020-11022, CVE-2020-11023, CVE-2020-13625, CVE-2020-14295