Vulnerability Name:

CVE-2014-2326

Assigned:2014-03-12
Published:2014-03-27
Updated:2016-12-21
Summary:Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS v3 Severity:3.7 Low (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.cacti.net/view.php?id=2431

Source: FEDORA
Type: VENDOR_ADVISORY
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131821.html

Source: FEDORA
Type: VENDOR_ADVISORY
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131842.html

Source: SUSE
Type: VENDOR_ADVISORY
http://lists.opensuse.org/opensuse-updates/2015-03/msg00034.html

Source: MISC
Type: VENDOR_ADVISORY
http://packetstormsecurity.com/files/125849/Deutsche-Telekom-CERT-Advisory-DTC-A-20140324-001.html

Source: CONFIRM
Type: PATCH
http://svn.cacti.net/viewvc?view=rev&revision=7443

Source: DEBIAN
Type: VENDOR_ADVISORY
http://www.debian.org/security/2014/dsa-2970

Source: BUGTRAQ
Type: VENDOR_ADVISORY
20140324 Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti

Source: BID
Type: VENDOR_ADVISORY
66390

Source: CONFIRM
Type: VENDOR_ADVISORY
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768

Source: GENTOO
Type: UNKNOWN
https://security.gentoo.org/glsa/201509-03

Vulnerable Configuration:Configuration 1:
  • cpe:/o:fedoraproject:fedora:19:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:20:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:novell:opensuse:13.2:*:*:*:*:*:*:*
  • OR cpe:/o:novell:opensuse:13.1:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20142326
    V
    CVE-2014-2326
    2017-03-01
    oval:org.mitre.oval:def:25061
    P
    DSA-2970-1 cacti - security update
    2014-08-11
    oval:com.ubuntu.precise:def:20142326000
    V
    CVE-2014-2326 on Ubuntu 12.04 LTS (precise) - medium.
    2014-03-27
    oval:com.ubuntu.trusty:def:20142326000
    V
    CVE-2014-2326 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-03-27
    oval:com.ubuntu.xenial:def:20142326000
    V
    CVE-2014-2326 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-03-27
    BACK
    fedoraproject fedora 19
    fedoraproject fedora 20
    novell opensuse 13.2
    novell opensuse 13.1
    cacti cacti 0.8.7g
    debian debian_linux 7.0