DSA-4604-1 cacti -- cactiID: oval:org.secpod.oval:def:61491 | Date: (C)2019-12-23 (M)2022-10-10 |
Class: PATCH | Family: unix |
Multiple issues have been found in cacti, a server monitoring system, potentially resulting in SQL code execution or information disclosure by authenticated users. CVE-2019-16723 Authenticated users may bypass authorization checks for viewing a graph by submitting requests with modified local_graph_id parameters. CVE-2019-17357 The graph administration interface insufficiently sanitizes the template_id parameter, potentially resulting in SQL injection. This vulnerability might be leveraged by authenticated attackers to perform unauthorized SQL code execution on the database. CVE-2019-17358 The sanitize_unserialize_selected_items function insufficiently sanitizes user input before deserializing it, potentially resulting in unsafe deserialization of user-controlled data. This vulnerability might be leveraged by authenticated attackers to influence the program control flow or cause memory corruption.