Changelog
cacti (1.2.2+ds1-2+deb10u3) buster; urgency=medium
* Unix timestamps after Sep 13 2020 are rejected as graph start/end
arguments (Upstream bug #3245)
* CVE-2020-7237: Remote Code Execution (by privileged users) via shell
metacharacters in the Performance Boost Debug Log field of
poller_automation.php. OS commands are executed when a new poller
cycle begins. The attacker must be authenticated, and must have access
to modify the Performance Settings of the product. (Closes: #949997)
* CVE-2020-7106: XSS in data_sources.php, color_templates_item.php,
graphs.php, graph_items.php, lib/api_automation.php, user_admin.php,
and user_group_admin.php, as demonstrated by the description parameter
in data_sources.php (a raw string from the database that is displayed
by $header to trigger the XSS). (Closes: #949996)
* CVE-2020-13230: Disabling an user account does not immediately
invalidate any permissions granted to that account (e.g., permission
to view logs)
* CVE-2020-13231: auth_profile.php?action=edit allows CSRF for an admin
email change
-- Paul Gevers <email address hidden> Thu, 18 Jun 2020 22:34:41 +0200
