USN-5214-1

Description

cacti vulnerabilities It was discovered that Cacti was incorrectly validating permissions for user accounts that had been recently disabled. An authenticated attacker could possibly use this to obtain unauthorized access to application and system data. (CVE-2020-13230) It was discovered that Cacti was incorrectly performing authorization checks in auth_profile.php. A remote unauthenticated attacker could use this to perform a CSRF attack and set a new admin email or make other changes. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-13231) It was discovered that Cacti incorrectly handled user provided input sent through request parameters to the color.php script. A remote authenticated attacker could use this issue to perform SQL injection attacks. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-14295) It was discovered that Cacti did not properly escape file input fields when performing template import operations for various themes. An authenticated attacker could use this to perform XSS attacks. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-14424) It was discovered that Cacti incorrectly handled user provided input sent through request parameters to the data_debug.php script. A remote authenticated attacker could use this issue to perform SQL injection attacks. This issue only affected Ubuntu 20.04 ESM. (CVE-2020-35701)

Affected Systems

• ubuntu•cacti

  < 0.8.8f+ds1-4ubuntu4.16.04.2+esm1 | < 1.1.38+ds1-1ubuntu0.1~esm1 | < 1.2.10+ds1-1ubuntu1+esm1

References (6)

• https://ubuntu.com/security/notices/USN-5214-1
• https://ubuntu.com/security/CVE-2020-13230
• https://ubuntu.com/security/CVE-2020-13231
• https://ubuntu.com/security/CVE-2020-14295
• https://ubuntu.com/security/CVE-2020-14424
• https://ubuntu.com/security/CVE-2020-35701