AVG-537

Package cacti
Status Fixed
Severity High
Type multiple issues
Affected 1.1.17-1
Fixed 1.1.28-1
Current 1.2.5-1 [community]
Ticket None
Created Sat Dec 2 14:41:48 2017
Issue Severity Remote Type Description
CVE-2017-16785 High Yes Cross-site scripting
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
CVE-2017-16661 Medium Yes Arbitrary filesystem access
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a...
CVE-2017-16660 High Yes Arbitrary code execution
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making...
CVE-2017-16641 High Yes Arbitrary command execution
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save...
Date Advisory Package Description
02 Dec 2017 ASA-201712-2 cacti multiple issues