[Bug 1173090] VUL-1: CVE-2020-14295: cacti: SQL injection issue in color.php allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries

14 Jul 2020


      http://bugzilla.opensuse.org/show_bug.cgi?id=1173090
http://bugzilla.opensuse.org/show_bug.cgi?id=1173090#c3

--- Comment #3 from Andreas Stieger <Andreas.Stieger@gmx.de> ---
from https://www.cacti.net/release_notes.php?version=1.2.13

security#3544: jQuery XSS vulnerabilities require vendor package update
(CVE-2020-11022 / CVE-2020-11023)
security#3549: Lack of escaping on some pages can lead to XSS exposure
security#3582: Update PHPMailer to 6.1.6 (CVE-2020-13625)
security#3622: SQL Injection vulnerability due to input validation failure when
editing colors (CVE-2020-14295)
security#3628: Lack of escaping on template import can lead to XSS exposure

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1173090] VUL-1: CVE-2020-14295: cacti: SQL injection issue in color.php allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries

bugzilla_noreply＠suse.com