* SECURITY UPDATE: (LP: #192199)
+ CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in
Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to
inject arbitrary web script or HTML via the (1) view_type parameter to
graph.php, (2) filter parameter to graph_view.php, and (3) action and
login_username parameters to index.php/login.
+ CVE-2008-0784: graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before
0.8.6k allows remote attackers to obtain the full path via an invalid
local_graph_id parameter and other unspecified vectors.
* debian/patches/11_CVE-2008-0783_CVE-2008-0784.dpatch: applied patch by
upstream.
(Link: http://www.cacti.net/downloads/patches/0.8.6j/multiple_vulnerabilities-0.8.6j.patch)
* References:
CVE-2008-0783
CVE-2008-0784
-- Stephan Hermann <email address hidden> Fri, 15 Feb 2008 20:26:11 +0100
This bug was fixed in the package cacti - 0.8.6j-1.1ubuntu0.2
--------------- 1.1ubuntu0. 2) gutsy-security; urgency=low
cacti (0.8.6j-
* SECURITY UPDATE: (LP: #192199) username parameters to index.php/login. graph_id parameter and other unspecified vectors. patches/ 11_CVE- 2008-0783_ CVE-2008- 0784.dpatch: applied patch by www.cacti. net/downloads/ patches/ 0.8.6j/ multiple_ vulnerabilities -0.8.6j. patch)
+ CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in
Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to
inject arbitrary web script or HTML via the (1) view_type parameter to
graph.php, (2) filter parameter to graph_view.php, and (3) action and
login_
+ CVE-2008-0784: graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before
0.8.6k allows remote attackers to obtain the full path via an invalid
local_
* debian/
upstream.
(Link: http://
* References:
CVE-2008-0783
CVE-2008-0784
-- Stephan Hermann <email address hidden> Fri, 15 Feb 2008 20:26:11 +0100