Security update for cacti, cacti-spine SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2087-1 Final 1 1 2017-08-07T20:16:05Z current 2017-08-07T20:16:05Z 2017-08-07T20:16:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti, cacti-spine This update for cacti, cacti-spine fixes the following issues: - CVE-2017-12065: Possible code execution via avgnan, outlier-start, or outlier-end parameter (bsc#1051633) - CVE-2017-11691: XSS in auth_profile.php allows remote attackers to inject arbitrary JS via specially crafted HTTP Referer headers (bsc#1050950) - CVE-2017-10970: XSS Issue in link.php bsc#1047512 - CVE-2017-11163: XSS Issue in lib/html_form.php bsc#1048102 In addition, cacti and cacti-spine were updated to the current stable release 1.1.16, containing all upstream improvements and bugfixes. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html E-Mail link for openSUSE-SU-2017:2087-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 cacti-1.1.16-19.1 cacti-doc-1.1.16-19.1 cacti-spine-1.1.16-10.1 cacti-1.1.16-19.1 as a component of openSUSE Leap 42.2 cacti-doc-1.1.16-19.1 as a component of openSUSE Leap 42.2 cacti-spine-1.1.16-10.1 as a component of openSUSE Leap 42.2 cacti-1.1.16-19.1 as a component of openSUSE Leap 42.3 cacti-doc-1.1.16-19.1 as a component of openSUSE Leap 42.3 cacti-spine-1.1.16-10.1 as a component of openSUSE Leap 42.3 Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php. CVE-2017-10970 openSUSE Leap 42.2:cacti-1.1.16-19.1 openSUSE Leap 42.2:cacti-doc-1.1.16-19.1 openSUSE Leap 42.2:cacti-spine-1.1.16-10.1 openSUSE Leap 42.3:cacti-1.1.16-19.1 openSUSE Leap 42.3:cacti-doc-1.1.16-19.1 openSUSE Leap 42.3:cacti-spine-1.1.16-10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://www.suse.com/security/cve/CVE-2017-10970.html CVE-2017-10970 https://bugzilla.suse.com/1047512 SUSE Bug 1047512 Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. CVE-2017-11163 openSUSE Leap 42.2:cacti-1.1.16-19.1 openSUSE Leap 42.2:cacti-doc-1.1.16-19.1 openSUSE Leap 42.2:cacti-spine-1.1.16-10.1 openSUSE Leap 42.3:cacti-1.1.16-19.1 openSUSE Leap 42.3:cacti-doc-1.1.16-19.1 openSUSE Leap 42.3:cacti-spine-1.1.16-10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://www.suse.com/security/cve/CVE-2017-11163.html CVE-2017-11163 https://bugzilla.suse.com/1048102 SUSE Bug 1048102 https://bugzilla.suse.com/1051633 SUSE Bug 1051633 Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. CVE-2017-11691 openSUSE Leap 42.2:cacti-1.1.16-19.1 openSUSE Leap 42.2:cacti-doc-1.1.16-19.1 openSUSE Leap 42.2:cacti-spine-1.1.16-10.1 openSUSE Leap 42.3:cacti-1.1.16-19.1 openSUSE Leap 42.3:cacti-doc-1.1.16-19.1 openSUSE Leap 42.3:cacti-spine-1.1.16-10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://www.suse.com/security/cve/CVE-2017-11691.html CVE-2017-11691 https://bugzilla.suse.com/1050950 SUSE Bug 1050950 spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. CVE-2017-12065 openSUSE Leap 42.2:cacti-1.1.16-19.1 openSUSE Leap 42.2:cacti-doc-1.1.16-19.1 openSUSE Leap 42.2:cacti-spine-1.1.16-10.1 openSUSE Leap 42.3:cacti-1.1.16-19.1 openSUSE Leap 42.3:cacti-doc-1.1.16-19.1 openSUSE Leap 42.3:cacti-spine-1.1.16-10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://www.suse.com/security/cve/CVE-2017-12065.html CVE-2017-12065 https://bugzilla.suse.com/1051633 SUSE Bug 1051633