MGASA-2017-0267

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2017-0267.html
Import Source
https://advisories.mageia.org/MGASA-2017-0267.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2017-0267
Related
Published
2017-08-13T22:19:29Z
Modified
2017-08-13T21:32:14Z
Summary
Updated cacti packages fix security vulnerabilities
Details

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the diehtmlinputerror function in lib/htmlvalidate.php (CVE-2017-10970).

Cross-site scripting (XSS) vulnerability in aggregategraphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancelurl variable (CVE-2017-11163).

A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user profile managment page (auth_profile.php), allowing inject arbitrary web script or HTML via specially crafted HTTP Referer headers (CVE-2017-11691).

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter (CVE-2017-12065).

Cross-site scripting (XSS) vulnerability in aggregategraphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancelurl variable (CVE-2017-12066).

References
Credits

Affected packages

Mageia:6 / cacti

Package

Name
cacti
Purl
pkg:rpm/mageia/cacti?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.16-1.mga6

Ecosystem specific 

{
    "section": "core"
}