Ubuntu
cacti package

  1. Bug #192199
  2. Comment #10

Comment 10 for bug 192199

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cacti - 0.8.6i-3ubuntu0.2

---------------
cacti (0.8.6i-3ubuntu0.2) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #192199)
    + CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in
      Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to
      inject arbitrary web script or HTML via the (1) view_type parameter to
      graph.php, (2) filter parameter to graph_view.php, and (3) action and
      login_username parameters to index.php/login.
    + CVE-2008-0784: graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before
      0.8.6k allows remote attackers to obtain the full path via an invalid
      local_graph_id parameter and other unspecified vectors.
  * debian/patches/11_CVE-2008-0783_CVE-2008-0784.dpatch: applied patch by
    upstream. (backported from 0.8.6j)
    (Link: http://www.cacti.net/downloads/patches/0.8.6j/multiple_vulnerabilities-0.8.6j.patch)
  * References:
    CVE-2008-0783
    CVE-2008-0784

 -- Stephan Hermann <email address hidden> Fri, 15 Feb 2008 21:10:36 +0100