======================================================================

                                 CERT-Renater

                     Note d'Information No. 2024/VULN264
_____________________________________________________________________

DATE                : 27/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cacti versions prior to 1.2.27.

=====================================================================
https://forums.cacti.net/viewtopic.php?t=63099
https://github.com/Cacti/cacti/security
_____________________________________________________________________


Release of Cacti 1.2.27

Post by netniV » Sun May 12, 2024 4:14 pm
Release of Cacti 1.2.27

Thank you everyone who are using Cacti and especially those helping
to make Cacti better!

For additional details check out the README located on GitHub.

IMPORTANT: There have been a number of security issues that have
been addressed in this release. It is advised to upgrade all
existing platforms to this release as soon as possibly to avoid
possible issues.

Along with the release of Cacti 1.2.27, several plugins have been
updated/added so please check out Thold (v1.8), MacTrack (v4.7)
and the new ServCheck (v0.1) on their github repositories.

We would personally like to thank @xmacan for all his efforts,
especially with the new ServCheck, as well as all the users of
Cacti who are contributing to the community on GitHub and in
the forums. You know who you are.


Contribute

Active development of Cacti is located on GitHub! Join us in
making Cacti better, submit issues, fork and submit pull requests!

Cacti Change Log

      security#GHSA-37x7-mfjv-mm7m: Authentication Bypass when
        using using older password hashes

      security#GHSA-7cmj-g5qc-pj88: RCE vulnerability when importing
        packages

      security#GHSA-cx8g-hvq8-p2rv: RCE vulnerability when plugins
        include files

      security#GHSA-gj3f-p326-gh8r: SQL Injection vulnerability when
        using tree rules through Automation API

      security#GHSA-grj5-8fcj-34gh: XSS vulnerability when using
        JavaScript based messaging API

      security#GHSA-jrxg-8wh8-943x: SQL Injection vulnerability when
        using form templates

      security#GHSA-p4ch-7hjw-6m87: XSS vulnerability when reading
        tree rules with Automation API

      security#GHSA-rqc8-78cm-85j3: XSS vulnerability when managing
        data queries

      security#GHSA-vjph-r677-6pcc: SQL Injection vulnerability when
        retrieving graphs using Automation API

      issue#5622: Improve PHP 8.3 support
      issue#5628: When importing packages via command line, data
        source profile could not be selected
      issue#5629: When changing password, returning to previous
        page does not always work
      issue#5636: When using LDAP authentication the first time,
        warnings may appear in logs
      issue#5638: When editing/viewing devices, add IPv6 info to
        hostname tooltip
      issue#5645: Improve speed of polling when Boost is enabled
      issue#5648: Improve support for Half-Hour time zones
      issue#5649: Improve support of ping on Windows
      issue#5655: When user session not found, device lists can be
        incorrectly returned
      issue#5660: On import, legacy templates may generate warnings
      issue#5661: Improve support for alternate locations of Ping
      issue#5662: Improve PHP 8.1 support for Installer
      issue#5669: Fix issues with number formatting
      issue#5677: Improve PHP 8.1 support when SpikeKill is run first
        time
      issue#5693: Improve PHP 8.1 support for SpikeKill
      issue#5696: When using Chinese to search for graphics, garbled
        characters appear.
      issue#5701: When importing templates, preview mode will not
        always load
      issue#5720: When remote poller is installed, MySQL TimeZone DB
        checks are not performed
      issue#5723: When Remote Poller installation completes, no finish
        button is shown
      issue#5725: Unauthorized agents should be recorded into logs
      issue#5726: Poller cache may not always update if hostname
        changes
      issue#5727: When using CMD poller, Failure and Recovery dates
        may have incorrect values
      issue#5731: Saving a Tree can cause the tree to become
        unpublished
      issue#5732: Web Basic Authentication does not record user logins
      issue#5733: When using Accent-based languages, translations may
        not work properly
      issue#5743: Fix automation expressions for device rules
      issue#5748: Improve PHP 8.1 Support during fresh install with
        boost

      feature#5692: Add a device "enabled/disabled" indicator next to
        the graphs
      feature#5710: Notify the admin periodically when a remote data
        collector goes into heartbeat status
      feature#5716: Add template for Aruba Clearpass
      feature#5730: Add fliter/sort of Device Templates by Graph
       Templates


Reporting Issues

http://www.cacti.net/issues.php


Download Cacti

http://www.cacti.net/download_cacti.php


Download Spine

http://www.cacti.net/spine_download.php


Thanks!
The Cacti Group

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================