Release Notes -
Welcome to Cacti 1.2.10!
IMPORTANT: Prior to this release, 1.2.10, a flaw existed which allowed a malicous actor to execute remote code by use of Guest Accounts with Real Time Access.
This can be countered using any of the following:
- Ensure PHP greater than 7.2
- Disabled Guest Account
- Disabled Guest access to Real Time Graphs
- Use Cacti 1.2.10+
Special thanks to all that have helped by contributing code and reporting
issues on GitHub!
For additional details, please check out the README located on GitHub.
security#3285: When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813)
issue#3240: When using User Domains, global template user is used instead of the configured domain template user
issue#3245: Unix timestamps after Sep 13 2020 are rejected as graph start/end arguments
issue#3246: When upgrading with remote collectors, sync status does not always return properly
issue#3250: When PHP memory limit is set to -1, recommendation value fails
issue#3253: Upgrade can stall when checking permissions on csrf-secret.php
issue#3254: Installer shows script owner rather than running user for suggested chown command
issue#3266: When setting User Groups to 'Defer to the User', setting can lead to user being told they have no permissions
issue#3269: When searching Graphs under a Chinese language, an unexpected error as sometimes shown
issue#3274: When editing a tree, multiple device drag/drop does not work
issue#3276: When spine aborts, script server can be left wanting or generating unnecessary logs
issue#3277: When boost does not find an initial time, numeric errors can be raised
issue#3281: When changing Graph Template options, incorrect image format may be selected
issue#3282: Graph's can be sized incorrectly if image is SVG format
issue#3283: When setting a file path, valid characters not recognised properly
issue#3287: When using graph template 'Cacti Stats - User Logins', an incorrect count of invalid users can be seen
issue#3288: When on Device page, pressing 'Go' on the filter caused Device New menu pick to appear
issue#3289: When using CMD.PHP, poller id is not always shown properly
issue#3290: When using CMD.PHP, inconsistent device logging levels may occur
issue#3302: Editing a Graph Template does not show the Data Template name