CVE-2014-2327

NameCVE-2014-2327
DescriptionCross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2970-1
NVD severitymedium (attack range: remote)
Debian Bugs742768

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)wheezy0.8.8a+dfsg-5+deb7u8fixed
wheezy (security)0.8.8a+dfsg-5+deb7u10fixed
jessie0.8.8b+dfsg-8+deb8u6fixed
jessie (security)0.8.8b+dfsg-8+deb8u4fixed
stretch0.8.8h+ds1-10fixed
buster, sid1.1.21+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)0.8.8b+dfsg-6medium742768
cactisourcesqueeze0.8.7g-1+squeeze4medium742768
cactisourcewheezy0.8.8a+dfsg-5+deb7u3mediumDSA-2970-1

Notes

http://bugs.cacti.net/view.php?id=2432
Search for package or bug name: Reporting problems