Alpine: multiple cacti packages: security update to 1.2.8-r0

high Tenable Self-Hosted Container Security Plugin ID 403771

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-
controlled data to populate arrays. An authenticated attacker could use this to influence object data
values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
(CVE-2019-17358)

- Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php,
lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description
parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the
XSS). (CVE-2020-7106)

- Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance
Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins.
The attacker must be authenticated, and must have access to modify the Performance Settings of the
product. (CVE-2020-7237)

- graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell
metacharacters in a cookie, if a guest user has the graph real-time privilege. (CVE-2020-8813)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-17358

https://security.alpinelinux.org/vuln/CVE-2020-7106

https://security.alpinelinux.org/vuln/CVE-2020-7237

https://security.alpinelinux.org/vuln/CVE-2020-8813

Plugin Details

Severity: High

ID: 403771

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-8813

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/12/2019

Reference Information

CVE: CVE-2019-17358, CVE-2020-7106, CVE-2020-7237, CVE-2020-8813