Headline
CVE-2021-23225: The Complete RRDTool-based Graphing Solution
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the “new_username” field during creation of a new user via “Copy” method at user_admin.php.
Type
ID
Text
feature
Add a Timeout setting for Remote Agent calls
feature
Add Graphs and Data Sources hyperlinks on Device page
feature
Add One Minute Sampling to the default Data Source Profiles
feature
Add support for DDERIVE and DCOUNTER to Cacti
feature
Add Timezone support for Remote Data Collectors
feature
Allow Adding Aggregate Graphs to a Report
feature
Allow ASCII filepath paths to not be found on settings save
feature
Allow drill down from Graphs to Data Queries or Templates
feature
Allow Import/Export to be hookable
feature
Allow snmpagent to be disabled for very large installs
feature
Allow Top tabs to be Glyphs or Text or both
feature
Big Spanish translation update plus massive QA fixes
feature
Change password page provides visible confirmation of password rules
feature
Do not allow second data source to be added to an SNMP Get data template
feature
Don’t allow removal of Data Sources from Data Template once its in use
feature
Inform the primary Cacti administrator of problems by Email
feature
Make all user settings dynamic and allow resetting to default.
feature
Make Graph and Data Source suggested naming more efficient
feature
Make it easy to find Data Query based graphs that have lost indexes
feature
Make Top Tabs use Ajax Callback
feature
Make tree editing responive
feature
New Install/Upgrade user permission to limit access to being able to upgrade
feature
Provide option to debug width errors where output exceeds column width
feature
Removed the Authentication Method of ‘None’
feature
Tree automation is now defaulted to on for new install
feature
Update JavaScript library c3.js to version 0.6.8
feature
Update JavaScript library Chart.js to 2.7.3
feature
Update JavaScript library d3.js to version 5.7.0
feature
Update JavaScript library jquery.js to 3.3.1
feature
Update JavaScript library jquery-migrate.js to 3.0.1
feature
Update JavaScript library jquery.tablesorter.js to version 2.30.7
feature
Update JavaScript library jstree.js to 3.3.7
feature
Update JavaScript library screenfull.js to 3.3.3
feature
Update phpmailer to version 6.0.6
feature
Update phpseclib to version 2.0.13
feature
289
Allow external nologin access for Realtime Graphs
feature
553
When display a host, include Aggregated Graphs as well as standard graphs
feature
614
Allow users to duplicate Data Input Methods
feature
973
When creating a new user authenticated via LDAP, attempt to retrieve users email and full name
feature
122
Support a Site Branch Type
feature
1060
Design Enhancement for Large scale Cacti Implementations
feature
1142
Add Site dropdown to the Graphs and Data Source pages
feature
1184
Improve Data Input Methods editability and message handling
feature
1200
Aggregate Graphs can now include COMMENT
feature
1282
Email notification for Automation Network discovery process
feature
1347
Update automation logging to work better
feature
1395
Ensure messages have each new line keep the same prefix in cacti_log()
feature
1399
Allow ‘requires’ to include version against a plugin
feature
1400
User settings are now dynamic and can be reset (removed) to return to global settings
feature
1422
Automatically select the next unused data input field when clicking add on data input method
feature
1505
When displaying a graph, provide breadcrumb link to edit device
feature
1527
Update Fontawesome from 4.7 to 5.0.10
feature
1580
Support Drag & Drop for Builtin Report Items
feature
1581
Allow Mass Adding of Graphs to Reports
feature
1584
Allow theme selection when installing
feature
1588
Check that PHP can run a test file
feature
1593
Allow External links to auto refresh
feature
1597
Ensure synchronised files have same attributes as originals
feature
1610
On Unix, redirect error messages to log files when running external scripts
feature
1628
Allow the User to define an initial Automation Network for discovery when installing
feature
1670
Improve Graph Management to show type of source for a graph
feature
1671
When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings
feature
1677
Default Tree nodes sorting to be inherited
feature
1691
On Graph context menu, add a ‘Copy graph’ option to copy graph image
feature
1692
Separate option for logging Input Validation issues
feature
1703
On Graph context menu, text is now multi-lingual
feature
1708
Allow the User to override global Automation email recipients at the Automation Network level
feature
1709
Suppress warning from RRDTool when attempting to make updates in the past
feature
1711
Add support for SSL connections to MySQL
feature
1731
Prevent loss of changes by warning user about unsaved items
feature
1734
When displaying a graph, provide more information when error image is displayed (see also #1428)
feature
1763
Enable automatic refresh for Time Graph View
feature
1806
Control low level debug routines via config.php (Develoepr Use)
feature
1819
Provide CLI program to enable graphs to be removed by scripts
feature
1969
Graph previews can now be linked using a host’s external id
feature
2006
Introduce new Data Source Profile to handle decade long graphs
feature
2173
Introduce Device and Graph Template Caching to Speed UI
feature
2228
Add Device ID to Device search field
issue
Fix issue with display_custom_error_message() causing problem with system error message handling
issue
Graph List View was not fully responsive
issue
Move Graph removal function to Graph API
issue
On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost
issue
Typo in Dutch translations when an error occurred while downgrading
issue
Unable to display user profile tabs
issue
Verify all Fields not working due to Cacti 1.x upgrade error
issue
186
Cacti does not support jQueryUI 1.12.x
issue
187
Remove the use of jQuery Migrate plugin
issue
948
Do not create a new datasource when adding a new Graph for the same device/field
issue
454
Cacti Re-Index does not resolve index changes properly during re-index
issue
983
Import Template Preview is misleading
issue
1097
When copying template user, newly created user should always be enabled to allow logging in
issue
1097
When copying template user, it should be disable to prevent logging in as template user directly
issue
1174
When display a tree, disable drag and drop unless in edit mode
issue
1298
Display fatal error to prevent issues caused when system log is not writable
issue
1350
When switching an Automation Tree Rule’s leaf type, remove invalid Automation Rule Items
issue
1383
CSRF Timeout does not obey session timeout
issue
1408
Update SQL / Backtrace to use new clean_up_lines() function
issue
1414
DSSTATS reports incorrectly that a data source does not exist
issue
1420
Fix issues found by Debian package builds
issue
1421
Fix issue when SQL had all bad modes, missing variable warning was generated
issue
1426
Fix issue where remote poller was not using unique filenames when attempting to verify files
issue
1437
Plugin install hover message sometimes shows line breaks rather than formatted text
issue
1454
When using oid_regexp_parse, filter indexes to those that match
issue
1473
Recovery Date overwritten by subsequent checks
issue
1494
Unable to Deep Link/Bookmark Trees
issue
1503
Undefined function clearstatscache in DSSTATS
issue
1507
When saving graph settings from the graph page, the graph template id should not be included
issue
1510
New Graphs Undefined Variable $graph_template_name
issue
1521
Force boost to be enabled when there are Remote Data Collectors
issue
1528
Saving a device can result in WARNINGS related to string vs array handling
issue
1529
Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS
issue
1543
Graph Preview appends header=false too many times
issue
1553
Poller does not set rrd_step_counter correctly if no steps taken
issue
1559
CLI Output Issues due to over escaping
issue
1560
Warning that escapeshellarg() is escaping a null
issue
1567
Technical support - add notification if Cacti and Spine version is different
issue
1574
User templates are not correctly being applied
issue
1589
Installer now checks that the temporary folder is writable
issue
1590
User Admin generates SQL error if user is not part of any groups
issue
1601
Aggregate Graphs can not include some classes of COMMENT
issue
1602
PHP ERROR: Call to undefined function api_data_source_cache_crc_update()
issue
1604
Failed to connect to remote collector
issue
1606
Boost debug log not functional
issue
1607
Boost next run time occurs in the past
issue
1608
Possible boost race conditions
issue
1609
Remote pollers update ‘stats_poller’ on main poller
issue
1617
Editing a data query results in missing $header variable
issue
1621
Realtime Popup can cause automatic logout
issue
1626
httpd-error.log have message about Fontconfig
issue
1634
Default snmp quick print setting resulting in false poller ASSERTS on some php releases
issue
1651
Check temporary folder has write access during import
issue
1655
Correct Cacti to handle new MySQL 8.0 reserved word `system`
issue
1658
Devices drop down should be filtered by Site
issue
1660
Reports based upon Tree don’t maintain graph order
issue
1665
Must change password not working for local users when main realm is not local
issue
1669
Console log header grammar issue
issue
1674
Threads and Processes values not migrated to Poller table during upgrade
issue
1676
Allow automation discovery to add the same sysname on different hosts
issue
1682
Slow Select Statement lib/api_automation.php
issue
1689
Technical Support’s RRDTool version should show detected RRD version
issue
1690
Report a warning if the default collation is not utf8mb4_unicode_ci
issue
1700
Mail sent without auth causes errors to appear in logs
issue
1710
RRDtool create command causes first update to fail
issue
1721
Console Side Bar not correct on first login
issue
1723
die() messages should include PHP_EOF for better logging
issue
1726
Poor page performance editing a Graphs Graph Items
issue
1746
Poller with no hosts does not exit until timeout is reached
issue
1761
Graph Management page shows bogus template names
issue
1783
Browser Back button still does not working
issue
1796
Import: Fixed handling of references to objects not included in file
issue
1799
Default User log sort should be date descending
issue
1810
Correct SQL errors with authentication set to no authentication
issue
1839
Dummy cosmetic bug on down device selection option
issue
1841
Data Source Stats table not properly migrated from pre 1.x Cacti plugin
issue
1849
SNMPAgent not sending traps
issue
1852
Reports Preview/Mails show no graphs
issue
1889
Insecure $ENV{ENV} which running setgid
issue
1901
Upgrade from 0.8.8h fails on external_links statement
issue
1921
Data Query XML field method ‘rewrite_index’ does not correctly query for value
issue
1926
Deselecting items should present warning or disable GO button
issue
1948
Device Template should warn about need to re-sync
issue
1953
set_default_action() should warn if more than one action provided
issue
1973
SpikeKill Menu does not display properly
issue
1976
Default admin permissions do not allow everything
issue
1982
Certain hooks should occur within api functions rather than UI functions
issue
2002
api_plugin_db_table_create should support non-string defaults
issue
2012
For kernel 3.2+, “Linux - Memory - Free” should grep for "MemAvailable:", not “MemFree:”
issue
2085
CLOG Regex Parser does not verify registered function exists
issue
2126
api_device.php generates undefined function poller_push_to_remote_db_connect()
issue
2127
Unable to save error when duplicating graph
issue
2135
api_tree_lock() and api_tree_unlock() forcing redirection incorrectly
issue
2143
export.php Illegal string offset ‘method’
issue
2144
Device Management “Status” column does not sort properly
issue
2152
When editing a device, should show disable/enable option
issue
2153
Utilities page issues the wrong hook for tabs
issue
2163
LDAP functions are not consistent
issue
2164
Login page does not remember selected realm
issue
2171
datepicker and timepick translation not available
issue
2178
Header/Footer included more than once
issue
2182
Graph View missing 'html_graph_template_multiselect()' function
issue
2184
html_host_filter() does not handle host_id consequently
issue
2186
Boost generates invalid SQL during on demand update
issue
2188
SNMP timeout errors are being duplicated
issue
2191
i18n_themes is not properly primed in global_arrays.php
issue
2202
Can’t create more than one graph with add_graphs.php from one template
issue
2207
Removing Graph Template does not Remove Data Query Associations
issue
2217
cmd.php not handling quoted snmp values properly
issue
2240
SNMP system Data Input Methods should not be modified on import
issue
2241
Spike removal not functional due to Debian packaging
security
1072
Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)
security
1882
Bypass output validation in select cases
security
2212
Stored XSS in “Website Hostname” field
security
2213
Stored XSS in “Website Hostname” field - Devices
security
2214
Stored XSS in “Vertical Label” field - Graph
security
2215
Stored XSS in “Name” field - Color
unknown
Related news
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).