Launchpad.net

CVE 2014-4002

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.

Related bugs and status

CVE-2014-4002 (Candidate) is related to these bugs:

Bug #1210822: Please backport cacti security fixes

		In	Importance	Status
1210822	Please backport cacti security fixes	cacti (Ubuntu)	Medium	Fix Released
1210822	Please backport cacti security fixes	cacti (Ubuntu Vivid)	Medium	Fix Released
1210822	Please backport cacti security fixes	cacti (Ubuntu Precise)	Medium	Won't Fix
1210822	Please backport cacti security fixes	cacti (Ubuntu Utopic)	Medium	Fix Released
1210822	Please backport cacti security fixes	cacti (Ubuntu Trusty)	Medium	Fix Released

Bug #1478245: Cacti package requires php5-mysql, should work with php5-mysqlnd too

Summary				In	Importance	Status
	1478245	Cacti package requires php5-mysql, should work with php5-mysqlnd too		cacti (Ubuntu)	Undecided	Fix Released
	1478245	Cacti package requires php5-mysql, should work with php5-mysqlnd too		cacti (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

DEBIAN: DSA-2970
SECUNIA: 59517
SECUNIA: 59203
SUSE: openSUSE-SU-2015:0479
BID: 68257
GENTOO: GLSA-201509-03
CONFIRM: http://svn.cacti.net/v...
CONFIRM: http://svn.cacti.net/v...