SB2020052742 - Fedora 32 update for cacti, cacti-spine

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2020-13231)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in auth_profile.php?action=edit. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as changing data in victim's profile.

2) Improper Preservation of Permissions (CVE-ID: CVE-2020-13230)

The vulnerability allows a remote attacker to gain access to otherwise restricted functionality.

The vulnerability exists due to application does not properly processes operations, related to accounts deactivation. When disabling a user account the application does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). A remote attacker, whose account was disabled can still access the application for certain amount of time.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2020-8560db8779