Security update for cacti SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0438-1 Final 1 1 2016-02-12T06:09:26Z current 2016-02-12T06:09:26Z 2016-02-12T06:09:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti cacti was updated to fix the following vulnerabilities: - CVE-2015-8369: SQL injection in graph.php (boo#958863) - CVE-2015-8604: SQL injection in graphs_new.php (boo#960678) - CVE-2015-8377: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php (boo#958977) - CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access (boo#965930) cacti-spine was updated to match the cacti version, fixing a number of upstream bugs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html E-Mail link for openSUSE-SU-2016:0438-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 cacti-0.8.8f-8.1 cacti-spine-0.8.8f-5.1 cacti-0.8.8f-8.1 as a component of openSUSE Leap 42.1 cacti-spine-0.8.8f-5.1 as a component of openSUSE Leap 42.1 SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php. CVE-2015-8369 openSUSE Leap 42.1:cacti-0.8.8f-8.1 openSUSE Leap 42.1:cacti-spine-0.8.8f-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html https://www.suse.com/security/cve/CVE-2015-8369.html CVE-2015-8369 https://bugzilla.suse.com/958863 SUSE Bug 958863 https://bugzilla.suse.com/958977 SUSE Bug 958977 https://bugzilla.suse.com/960678 SUSE Bug 960678 SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. CVE-2015-8377 openSUSE Leap 42.1:cacti-0.8.8f-8.1 openSUSE Leap 42.1:cacti-spine-0.8.8f-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html https://www.suse.com/security/cve/CVE-2015-8377.html CVE-2015-8377 https://bugzilla.suse.com/958863 SUSE Bug 958863 https://bugzilla.suse.com/958977 SUSE Bug 958977 https://bugzilla.suse.com/960678 SUSE Bug 960678 SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action. CVE-2015-8604 openSUSE Leap 42.1:cacti-0.8.8f-8.1 openSUSE Leap 42.1:cacti-spine-0.8.8f-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html https://www.suse.com/security/cve/CVE-2015-8604.html CVE-2015-8604 https://bugzilla.suse.com/960678 SUSE Bug 960678 auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. CVE-2016-2313 openSUSE Leap 42.1:cacti-0.8.8f-8.1 openSUSE Leap 42.1:cacti-spine-0.8.8f-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00078.html https://www.suse.com/security/cve/CVE-2016-2313.html CVE-2016-2313 https://bugzilla.suse.com/1022564 SUSE Bug 1022564 https://bugzilla.suse.com/1069693 SUSE Bug 1069693 https://bugzilla.suse.com/965930 SUSE Bug 965930