The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3765 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3765-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Sylvain Beucler     March 18, 2024                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : cacti     Version        : 1.2.2+ds1-2+deb10u6     CVE ID         : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362                      CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515                      CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086                      CVE-2023-49088     Debian Bug     : 1059254

    Multiple vulnerabilities were found in Cacti, a network monitoring     system. An attacker could manipulate the database, execute code     remotely, launch DoS (denial-of-service) attacks or impersonate Cacti     users, in some situations.

    CVE-2023-39357

        When the column type is numeric, the sql_save function directly         utilizes user input. Many files and functions calling the sql_save         function do not perform prior validation of user input, leading to         the existence of multiple SQL injection vulnerabilities in         Cacti. This allows authenticated users to exploit these SQL         injection vulnerabilities to perform privilege escalation and         remote code execution.

    CVE-2023-39360

        Stored Cross-Site-Scripting (XSS) Vulnerability allows an         authenticated user to poison data. The vulnerability is found in         `graphs_new.php`. Several validations are performed, but the         `returnto` parameter is directly passed to `form_save_button`. In         order to bypass this validation, returnto must contain `host.php`.

    CVE-2023-39361

        SQL injection discovered in graph_view.php. Since guest users can         access graph_view.php without authentication by default, if guest         users are being utilized in an enabled state, there could be the         potential for significant damage. Attackers may exploit this         vulnerability, and there may be povssibilities for actions such as         the usurpation of administrative privileges or remote code         execution.

    CVE-2023-39362

        An authenticated privileged user, can use a malicious string in         the SNMP options of a Device, performing command injection and         obtaining remote code execution on the underlying server. The         `lib/snmp.php` file has a set of functions, with similar behavior,         that accept in input some variables and place them into an `exec`         call without a proper escape or validation.

    CVE-2023-39364

        Users with console access can be redirected to an arbitrary         website after a change password performed via a specifically         crafted URL. The `auth_changepassword.php` file accepts `ref` as a         URL parameter and reflects it in the form used to perform the         change password. It's value is used to perform a redirect via         `header` PHP function. A user can be tricked in performing the         change password operation, e.g., via a phishing message, and then         interacting with the malicious website where the redirection has         been performed, e.g., downloading malwares, providing credentials,         etc.

    CVE-2023-39365

        Issues with Cacti Regular Expression validation combined with the         external links feature can lead to limited SQL Injections and         subsequent data leakage.

    CVE-2023-39513

        Stored Cross-Site-Scripting (XSS) Vulnerability which allows an         authenticated user to poison data stored in the _cacti_'s         database. The script under `host.php` is used to monitor and         manage hosts in the _cacti_ app, hence displays useful information         such as data queries and verbose logs.

    CVE-2023-39515

        Stored Cross-Site-Scripting (XSS) Vulnerability allows an         authenticated user to poison data stored in the cacti's         database. These data will be viewed by administrative cacti         accounts and execute JavaScript code in the victim's browser at         view-time. The script under `data_debug.php` displays data source         related debugging information such as _data source paths, polling         settings, meta-data on the data source.

    CVE-2023-39516

        Stored Cross-Site-Scripting (XSS) Vulnerability which allows an         authenticated user to poison data stored in the _cacti_'s         database. These data will be viewed by administrative _cacti_         accounts and execute JavaScript code in the victim's browser at         view-time. The script under `data_sources.php` displays the data         source management information (e.g. data source path, polling         configuration etc.) for different data visualizations of the
        _cacti_ app.

    CVE-2023-49084

        While using the detected SQL Injection and insufficient processing         of the include file path, it is possible to execute arbitrary code         on the server. Exploitation of the vulnerability is possible for         an authorized user. The vulnerable component is the `link.php`.

    CVE-2023-49085

        It is possible to execute arbitrary SQL code through the         `pollers.php` script. An authorized user may be able to execute         arbitrary SQL code. The vulnerable component is the `pollers.php`.

    CVE-2023-49086

        Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS         attack. Exploitation of the vulnerability is possible for an         authorized user. The vulnerable component is the `graphs_new.php`.

    CVE-2023-49088

        The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete         as it enables an adversary to have a victim browser execute         malicious code when a victim user hovers their mouse over the         malicious data source path in `data_debug.php`.

    For Debian 10 buster, these problems have been fixed in version     1.2.2+ds1-2+deb10u6.

    We recommend that you upgrade your cacti packages.

    For the detailed security status of cacti please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/cacti

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dla-3765 : cacti - security update

critical Nessus Plugin ID 192197

Version 1.2

Version 1.1

Version 1.0

Version 1.0

Version 1.2 Jan 22, 2025, 3:03 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202501221503
Version 1.1 Mar 19, 2024, 2:37 PM Exploit attributes ("Exploit framework metasploit" set to "True") Plugin Feed: 202403191437
Version 1.0 Mar 18, 2024, 9:25 PM New Plugin Feed: 202403182125
Version 1.0 Mar 19, 2024, 12:36 PM Exploit attributes ("Exploit framework metasploit" set to "True") Plugin Feed: 202403191236