Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

cacti: CVE-2017-12927: XSS in spikekill.php via method parameter

Related Vulnerabilities: CVE-2017-12927  

Source

Debian Bug report logs - #872478
cacti: CVE-2017-12927: XSS in spikekill.php via method parameter

version graph

Package: src:cacti; Maintainer for src:cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 17 Aug 2017 19:21:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version cacti/1.1.17+ds1-1

Fixed in version cacti/1.1.17+ds1-2

Done: Paul Gevers <elbrus@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/Cacti/cacti/issues/907

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#872478; Package src:cacti. (Thu, 17 Aug 2017 19:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Thu, 17 Aug 2017 19:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cacti: XSS in spikekill.php via method parameter
Date: Thu, 17 Aug 2017 21:17:42 +0200
Source: cacti
Version: 1.1.17+ds1-1
Severity: important
Tags: patch upstream security fixed-upstream
Forwarded: https://github.com/Cacti/cacti/issues/907

hi

Opening the tracking bug for the XSS issue reported at
https://github.com/Cacti/cacti/issues/907 .  Upstream fix:
https://github.com/Cacti/cacti/commit/a032ce0be6a4ea47862c594e40a619ac8de1ef99

A CVE has been requested for this issue.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#872478; Package src:cacti. (Fri, 18 Aug 2017 05:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Fri, 18 Aug 2017 05:09:04 GMT) (full text, mbox, link).

Message #10 received at 872478@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 872478@bugs.debian.org
Subject: Re: Bug#872478: cacti: XSS in spikekill.php via method parameter
Date: Fri, 18 Aug 2017 07:06:38 +0200
Control: retitle -1 cacti: CVE-2017-12927: XSS in spikekill.php via method parameter

On Thu, Aug 17, 2017 at 09:17:42PM +0200, Salvatore Bonaccorso wrote:
> Source: cacti
> Version: 1.1.17+ds1-1
> Severity: important
> Tags: patch upstream security fixed-upstream
> Forwarded: https://github.com/Cacti/cacti/issues/907
> 
> hi
> 
> Opening the tracking bug for the XSS issue reported at
> https://github.com/Cacti/cacti/issues/907 .  Upstream fix:
> https://github.com/Cacti/cacti/commit/a032ce0be6a4ea47862c594e40a619ac8de1ef99
> 
> A CVE has been requested for this issue.

CVE-2017-12927 has been assigned.

Regards,
Salvatore

Changed Bug title to 'cacti: CVE-2017-12927: XSS in spikekill.php via method parameter' from 'cacti: XSS in spikekill.php via method parameter'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 872478-submit@bugs.debian.org. (Fri, 18 Aug 2017 05:09:04 GMT) (full text, mbox, link).

Reply sent to Paul Gevers <elbrus@debian.org>:
You have taken responsibility. (Fri, 18 Aug 2017 21:06:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 18 Aug 2017 21:06:08 GMT) (full text, mbox, link).

Message #17 received at 872478-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>
To: 872478-close@bugs.debian.org
Subject: Bug#872478: fixed in cacti 1.1.17+ds1-2
Date: Fri, 18 Aug 2017 21:04:47 +0000
Source: cacti
Source-Version: 1.1.17+ds1-2

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 872478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 18 Aug 2017 21:15:23 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.17+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 872478
Changes:
 cacti (1.1.17+ds1-2) unstable; urgency=medium
 .
   * CVE-2017-12927 XSS vulnerability in spikekill.php (Closes: #872478)
   * [tests] fix grep expression to unblock Ubuntu
   * [tests] Add improve-boost-logging-on-fresh-installs.patch and don't
     filter on the fixed messages
   * Fix typo in previous changelog message
Checksums-Sha1:
 4d48fdf08829da83f2e16e36ba54b9925ddf3927 2131 cacti_1.1.17+ds1-2.dsc
 e6e1e53bc5ef6129731a5855c2ccf878159b1879 50984 cacti_1.1.17+ds1-2.debian.tar.xz
Checksums-Sha256:
 46c3596481f4d121e036e8dbe473a168df6ee1704683e7d8795d3d338e26392b 2131 cacti_1.1.17+ds1-2.dsc
 989e8de7e098553728a6b8e9bdd3c2912900781bbeacaea37bc2ddafb3f0e115 50984 cacti_1.1.17+ds1-2.debian.tar.xz
Files:
 dc406326a31e2729c435d6ceb8839767 2131 web extra cacti_1.1.17+ds1-2.dsc
 ed932125f6aa9854e60979b990a4d56c 50984 web extra cacti_1.1.17+ds1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlmXSA0ACgkQnFyZ6wW9
dQrZpAf/eq7W6Hcqml68jTL2pG/KqZ3JW63ENsrRcGo0Xh5co0/BcuvjsfsUzx4c
4ql18qylg4xfFHT1318uACYun1EczTGdnKRUXN1EAQ+FdaKxzAiJgeb0UdBm5G3S
tglT7Ftn/sNSZjZcQ2iQjKd7tcOPTnkgS5vCGZfNcDwYQddvhKkYod/h4Jrp0Yqr
7q2lRfWjR6aRwDwR55yPdxo/2gq/iNyWR/w5hgYrqK5faDhG2Y8YvNvCXSSnAj51
5XYmXtI/iWLGowIhqN3yXy8v8EzsTsRli0vs0Fr/Nh4Txh4dY1kF5SOC8EmG/4Ja
oEBbclGPPWrQXCLzeJ9kvRYtgrqy+Q==
=PV4b
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 Sep 2017 07:29:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:52:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started