{"affected":[{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 12","name":"cacti","purl":"pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 12","name":"cacti-spine","purl":"pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP5","name":"cacti","purl":"pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP5","name":"cacti-spine","purl":"pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"cacti","purl":"pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"cacti":"1.2.27-bp155.2.9.1","cacti-spine":"1.2.27-bp155.2.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"cacti-spine","purl":"pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.2.27-bp155.2.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for cacti, cacti-spine fixes the following issues:\n\n- cacti 1.2.27:\n  * CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)\n  * CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)\n  * CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)\n  * CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)\n  * CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)\n  * CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)\n  * CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)\n  * CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)\n  * CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)\n  * CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)\n  * Improve PHP 8.3 support\n  * When importing packages via command line, data source profile could not be selected\n  * When changing password, returning to previous page does not always work\n  * When using LDAP authentication the first time, warnings may appear in logs\n  * When editing/viewing devices, add IPv6 info to hostname tooltip\n  * Improve speed of polling when Boost is enabled\n  * Improve support for Half-Hour time zones\n  * When user session not found, device lists can be incorrectly returned\n  * On import, legacy templates may generate warnings\n  * Improve support for alternate locations of Ping\n  * Improve PHP 8.1 support for Installer\n  * Fix issues with number formatting\n  * Improve PHP 8.1 support when SpikeKill is run first time\n  * Improve PHP 8.1 support for SpikeKill\n  * When using Chinese to search for graphics, garbled characters appear.\n  * When importing templates, preview mode will not always load\n  * When remote poller is installed, MySQL TimeZone DB checks are not performed\n  * When Remote Poller installation completes, no finish button is shown\n  * Unauthorized agents should be recorded into logs\n  * Poller cache may not always update if hostname changes\n  * When using CMD poller, Failure and Recovery dates may have incorrect values\n  * Saving a Tree can cause the tree to become unpublished\n  * Web Basic Authentication does not record user logins\n  * When using Accent-based languages, translations may not work properly\n  * Fix automation expressions for device rules\n  * Improve PHP 8.1 Support during fresh install with boost\n  * Add a device 'enabled/disabled' indicator next to the graphs\n  * Notify the admin periodically when a remote data collector goes into heartbeat status\n  * Add template for Aruba Clearpass\n  * Add fliter/sort of Device Templates by Graph Templates\n\n- cacti-spine 1.2.27:\n  * Restore AES Support\n","id":"openSUSE-SU-2024:0274-1","modified":"2024-09-02T08:09:11Z","published":"2024-09-02T08:09:11Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RAIZKHB2VPK6KRYTE3TU44EJVFAT4WWP/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224229"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224230"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224231"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224235"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224236"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224237"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224238"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224239"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224240"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224241"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-25641"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-27082"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-29894"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31443"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31444"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31445"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31458"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31459"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-31460"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-34340"}],"related":["CVE-2024-25641","CVE-2024-27082","CVE-2024-29894","CVE-2024-31443","CVE-2024-31444","CVE-2024-31445","CVE-2024-31458","CVE-2024-31459","CVE-2024-31460","CVE-2024-34340"],"summary":"Security update for cacti, cacti-spine","upstream":["CVE-2024-25641","CVE-2024-27082","CVE-2024-29894","CVE-2024-31443","CVE-2024-31444","CVE-2024-31445","CVE-2024-31458","CVE-2024-31459","CVE-2024-31460","CVE-2024-34340"]}