Cacti release reports :

Multiple security vulnerabilities have been fixed :

- SQL injection vulnerabilities

Update to Cacti 0.8.8b. This version fixes SQL injection vulnerabilities. See the full [upstream release notes](http://www.cacti.net/release_notes_0_8_8b.php) for details.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

According to its self-reported version number, the Cacti application running on the remote web server is prior to version 0.8.8b. It is, therefore, potentially affected by command injection and SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input to various scripts. An attacker may be able to exploit these issues to execute arbitrary code as well as access or modify the underlying database for the application.

cacti was updated to version 0.8.8b to fix security issues and bugs.

  - Fixes CVE-2013-1434 CVE-2013-1435

  - security: SQL injection and shell escaping issues 

  - bug: Fixed issue with custom data source information     being lost when saved from edit

  - bug: Repopulate the poller cache on new installations

  - bug: Fix issue with poller not escaping the script query     path correctly

  - bug: Allow snmpv3 priv proto none

  - bug: Fix issue where host activate may flush the entire     poller item cache

The remote host is affected by the vulnerability described in GLSA-201401-20 (Cacti: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Cacti. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary SQL commands via specially       crafted parameters, execute arbitrary shell code or inject malicious       script code.
  Workaround :

    There is no known workaround at this time.

Two security issues (SQL injection and command line injection via SNMP settings) were found in Cacti, a web interface for graphing of monitoring systems.

Cacti is a network graphing solution designed to use the power of RRDTool's data storage and graphing functionality. According to its self-reported version number, the version of Cacti hosted on the remote web server is affected by command injection and SQL injection vulnerabilities because the application fails to properly sanitize user-supplied input.

 An attacker may be able to leverage these issues to execute arbitrary code as well as access or modify the underlying database for the application

ID	Name	Product	Family	Published	Updated	Severity
69507	FreeBSD : cacti -- allow remote attackers to execute arbitrary SQL commands (b3b8d491-0fbb-11e3-8c50-1c6f65c11ee6)	Nessus	FreeBSD Local Security Checks	8/30/2013	1/6/2021	high
69385	Fedora 18 : cacti-0.8.8b-1.fc18 (2013-14454)	Nessus	Fedora Local Security Checks	8/20/2013	1/11/2021	high
70226	Amazon Linux AMI : cacti (ALAS-2013-222)	Nessus	Amazon Linux Local Security Checks	10/1/2013	4/18/2018	high
69306	Cacti < 0.8.8b Command and SQL Injections	Nessus	CGI abuses	8/12/2013	4/11/2022	high
69386	Fedora 19 : cacti-0.8.8b-1.fc19 (2013-14463)	Nessus	Fedora Local Security Checks	8/20/2013	1/11/2021	high
75127	openSUSE Security Update : cacti (openSUSE-SU-2013:1377-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	high
72075	GLSA-201401-20 : Cacti: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	1/22/2014	1/6/2021	high
69435	Debian DSA-2739-1 : cacti - several vulnerabilities	Nessus	Debian Local Security Checks	8/22/2013	1/11/2021	high
8004	Cacti < 0.8.8b Command and SQL Injections	Nessus Network Monitor	Web Servers	9/5/2013	3/6/2019	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high