| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 07_cli-include-path.patch | Fix cli path =================================================================== |
Sean Finney <seanius@debian.org>, Slavko <linux@slavino.sk> | not-needed | debian | 2018-10-13 | |
| enable-system-jqueryui-by-putting-cacti-changes-in-main.css.patch | Upstream embeds jquery-ui.css, but we want to use the system version of that file. To honor cacti's changes to jquery-ui.css, the delta is added as an overload in main.css instead. =================================================================== |
Paul Gevers <elbrus@debian.org> | yes | upstream | ||
| perl-path.patch | Debian has perl on the path =================================================================== |
Paul Gevers <elbrus@debian.org> | not-needed | |||
| font-awesome-path.patch | the file on Debian systems is named slightly different =================================================================== |
Paul Gevers <elbrus@debian.org> | no | |||
| dont-process-.github-in-docs.patch | =================================================================== | no | ||||
| adapt-check_all_pagest.sh-for-debian.patch | =================================================================== | no | ||||
| adapt-check_cli_version.sh-for-debian.patch | =================================================================== | no | ||||
| remove-external-images.patch | lintian detected privacy breach fix=================================================================== | Paul Gevers <elbrus@debian.org> | no | |||
| CVE-2023-39357.patch | [PATCH] Correct against possible SQL Injections | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39358_1.patch | [PATCH] Fixing another SQL Injection issue | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39358_2.patch | [PATCH] Minor update to SQL Injection fix | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39359.patch | [PATCH] Fixing XSS in graphs.php | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39360.patch | [PATCH] QA: Different approach to XSS issue | TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa | 2023-08-04 | |
| CVE-2023-39361.patch | [PATCH] QA: Additional REGEXP and RLIKE changes | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39362_1.patch | [PATCH] Addressing some potential command level injections | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39362_2.patch | [PATCH] QA: On command injection | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39364.patch | [PATCH] Correct issue with Hijacking Reference URL | TheWitness <thewitness@cacti.net> | no | 2023-08-04 | ||
| CVE-2023-39365.patch | [PATCH] Fixing #5348 - Issues with Regular Expression searches in Cacti Unchecked Regular expressions can lead to privilege escalation and data leakage |
TheWitness <thewitness@cacti.net> | no | 2023-06-04 | ||
| 0001-Fixing-5318-Multiple-minor-stored-XSS-vulnerabilitie.patch | [PATCH] Fixing #5318 - Multiple minor stored XSS vulnerabilities | TheWitness <thewitness@cacti.net> | no | 2023-04-29 | ||
| 0001-Fixing-5318-Additional-XSS-in-Cacti.patch | [PATCH] Fixing #5318 - Additional XSS in Cacti | TheWitness <thewitness@cacti.net> | no | 2023-06-19 | ||
| CVE-2023-39513.patch | [PATCH] Fixing #5324 - Over Escaping Debug log This is an issue between releases due to escaping log entries in the wrong location in the security fix. This change resolves that issue. Reindex device from GUI - debug info broken due to over escaping |
TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/23abb0e0a9729bd056b56f4fb5a6fc8e7ebda523 | 2023-06-04 | |
| CVE-2023-49084.patch | [PATCH] QA: Increase Cacti Security in four areas | TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/c3a647e9867ae8e2982e26342630ba9edb2d94b7 | 2023-11-18 | |
| CVE-2023-49085.patch | [PATCH] QA: Increase Cacti Security in four areas | TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 | 2023-11-18 | |
| CVE-2023-49086.patch | [PATCH] QA: Fix 2 of 3 - Commits for CVE-2023-49088 and CVE-2023-48086 Missed here https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x and here: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr |
TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 | 2023-12-28 | |
| CVE-2023-49088,50250,50569.patch | [PATCH] QA: Fix 2 of 3 - Commits for CVE-2023-49088 and CVE-2023-48086 Missed here https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x and here: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr |
TheWitness <thewitness@cacti.net> | no | https://github.com/cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 | 2023-12-28 | |
| 0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch | CVE-2024-25641: Merge pull request from GHSA-7cmj-g5qc-pj88 * QA: Fixing Package Import CVE For now, we will only accept the Cacti public keys until such time as we are a registered CNA and have the ability to verify third parties or we make other arrangements. * QA: The keys in our package have trailing spaces [description] Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. |
Petr Macek <petr.macek@kostax.cz> | yes | upstream | backport, https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210 | 2024-04-07 |
| 0027-1-2-CVE-2024-29894-Merge-pull-request-from-GHSA-grj5.patch | [1/2] CVE-2024-29894 Merge pull request from GHSA-grj5-8fcj-34gh Cacti contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. [Summary] CVE-2023-50250, fixed in 1.2.26, can still be triggered with a non-empty file named "');alert(1);('".xml. [Details] raise_message_javascript from lib/functions.php now uses purify.js to fix CVE-2023-50250 (among others). However it still generates the code out of unescaped PHP variables $title and $header. If those variables contain single quotes, they can be used to inject JavaScript code. |
Beuc <beuc@beuc.net> | yes | upstream | https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792 | 2024-04-07 |
| 0028-2-2-CVE-2024-29894-GHSA-grj5-8fcj-34gh-follow-up-fix.patch | [2/2] CVE-2024-29894 GHSA-grj5-8fcj-34gh follow-up fix (#5751) Not sure how this was lost during the back&forth during the GHSA process but we missed escaping the 3rd parameter of raise_message_javascript(). |
Beuc <beuc@beuc.net> | yes | upstream | https://github.com/Cacti/cacti/pull/5751/commits/7c60ef33e2a87b3047d66f651d7a2a096d108e58 | 2024-05-18 |
| 0029-CVE-2024-31443-Merge-pull-request-from-GHSA-rqc8-78c.patch | CVE-2024-31443: Merge pull request from GHSA-rqc8-78cm-85j3 some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. |
TheWitness <thewitness@cacti.net> | no | 2024-04-07 | ||
| 0030-CVE-2024-31444-GHSA-p4ch-7hjw-6m87-XSS-vulnerability.patch | CVE-2024-31444 GHSA-p4ch-7hjw-6m87 XSS vulnerability when reading tree rules with Automation API some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. |
TheWitness <thewitness@cacti.net> | yes | upstream | https://github.com/Cacti/cacti/commit/86d614c38c54e0ce58774d86617ecfbb853fb57b | 2024-04-09 |
| 0031-CVE-2024-31445-GHSA-vjph-r677-6pcc-SQL-injection-vul.patch | CVE-2024-31445 GHSA-vjph-r677-6pcc SQL injection vulnerability A SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it |
TheWitness <thewitness@cacti.net> | yes | upstream | https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886 | 2024-04-07 |
| 0032-CVE-2024-31458-GHSA-jrxg-8wh8-943x-SQL-injection.patch | CVE-2024-31458 GHSA-jrxg-8wh8-943x SQL injection some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. |
TheWitness <thewitness@cacti.net> | yes | upstream | https://github.com/Cacti/cacti/commit/9e87882007b6091171d1a4786f0de4ae20efef7b | 2024-04-07 |
| 0033-CVE-2024-31459-GHSA-cx8g-hvq8-p2rv-remote-code-execu.patch | CVE-2024-31459 GHSA-cx8g-hvq8-p2rv remote code execution There is a file inclusion issue in the lib/plugin.php file. Combined with SQL injection vulnerabilities, RCE can be implemented. |
TheWitness <thewitness@cacti.net> | yes | upstream | https://github.com/Cacti/cacti/commit/96d9a4c60693d87ba0e347f1c7d33047b4effc61 | 2024-04-07 |
| 0034-CVE-2024-31460-GHSA-gj3f-p326-gh8r-SQL-injection.patch | CVE-2024-31460 GHSA-gj3f-p326-gh8r SQL injection some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing |
TheWitness <thewitness@cacti.net> | yes | upstream | https://github.com/Cacti/cacti/commit/8b516cb9a73322ad532231e74000c2ee097b495e | 2024-04-07 |
| 0035-CVE-2024-34340-GHSA-37x7-mfjv-mm7m-type-juggling-vul.patch | CVE-2024-34340 GHSA-37x7-mfjv-mm7m type juggling vulnerability Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability [backport] Drop changelog and french translation update |
TheWitness <thewitness@cacti.net> | yes | upstream | backport, https://github.com/Cacti/cacti/commit/6183961089980322dfd9fd8011ade0f41703eaea | 2024-05-07 |