====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN088
_____________________________________________________________________

DATE                : 20/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cacti versions prior to 1.2.9.

=====================================================================
https://forums.cacti.net/viewtopic.php?f=4&t=60645&sid=418d0471a8bb27c7114b8ae4ee673e69
_____________________________________________________________________

Release of Cacti 1.2.9

Thank you everyone who are using Cacti and especially those helping to
make Cacti better!

For additional details check out the README located on GitHub.



Contribute

Active development of Cacti is located on GitHub! Join us in making
Cacti better, submit issues, fork and submit pull requests!


Cacti Change Log

    security#3191: Lack of escaping on some pages can lead to XSS
      exposure (CVE-2020-7106)
    security#3201: Remote Code Execution due to input validation failure
      in Performance Boost Debug Log (CVE-2020-7237)
    issue#2937: Devices still show in lists despite being deleted
    issue#3038: When editing an aggregate on smaller screens, layout may
      not be correct
    issue#3136: Upgrade may fail between 1.2.7 and 1.2.8 if incompatible
      database format used
    issue#3142: Chrome sets graphs tree navigation view to width 0px
    issue#3146: Unable to create aggregate graphs on new installations
    issue#3149: After refresh of page, tooltips stop working
    issue#3150: When using Time Graph View, Zooming can cause errors
    issue#3151: Passing glue string after array is deprecated in PHP 7.4
    issue#3155: Aggregate does not correctly follow color template when
      reordered
    issue#3156: On new installs, gprint_format was missing from table
      aggregate_graphs
    issue#3157: Back button not working properly with Classic theme
    issue#3158: Classic theme show only 3 tabs on mobile device. Don't
      show Console menu
    issue#3159: PHP Memory is not correctly identified when value is not
      in megabytes
    issue#3161: When the poller_output_boost table is missing, recreate
      it before a poller run
    issue#3163: When using RPMlint, Free Software Foundation address is
      shown to be incorrect
    issue#3165: Zoom looses its focus after all graphs on page rendered
    issue#3166: When changing zoom level, graphs are resized
      inappropriately at the end
    issue#3167: Installer should initialize the csrf-secret.php file
      automatically
    issue#3168: sqltable_to_php.php script does not pick up row_format
    issue#3177: Remove legacy plugin hook that presents potential 3rd
      party security issues
    issue#3178: The change password page is not displaying the rules
    issue#3180: Receiving undefined index errors when working with some
      Data Queries
    issue#3181: When configuration file is unreadable, Cacti shows
      database connection errors if non defaults are needed
    issue#3182: When a database connection error occurs, there is no way
      to report actual error
    issue#3184: Improve program path detection by using system path and
      PHP_BINDIR
    issue#3193: Starting with MySQL 5.7 some sql_mode variables are
      required for some plugins
    issue#3196: Minimize use of eval() in JavaScript due to emerging
      Content-Security-Context guidelines
    issue#3200: Unable to mass change Graph Template image format in
      mass
    issue#3206: Converted aggregate graph cannot be edited
    issue#3209: Error occurs when Creating New Graphs through
      Automatically Added Devices using Sync Device Template
    issue#3216: When editing a Data Source Profile size is shown as
      'N/A'
    issue#3224: When removing graphs by command line, regex is not
      properly validated when empty
    issue#3225: Unable to Import Templates due to invalid dependency
      hash
    issue#3226: When processing secpass login, failed logins are not
      recorded
    issue#3228: Login page does not remember the last realm used by user
    issue#3232: When editing HRULE and VRULE items, color selector was
      not presented
    issue#3233: When working with non-templated graphs, it can be
      difficult to determine what items represent
    issue#3235: Transient errors may occur with table
      poller_output_boost_arch


Reporting Issues

http://www.cacti.net/issues.php

Download Cacti

http://www.cacti.net/download_cacti.php

Download Spine

http://www.cacti.net/spine_download.php


Thanks!
The Cacti Group

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================