Total
85 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-14295 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2021-06-02 | 6.5 MEDIUM | 7.2 HIGH |
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | |||||
CVE-2020-35701 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2021-05-21 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | |||||
CVE-2019-17358 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Leap | 2020-08-24 | 5.5 MEDIUM | 8.1 HIGH |
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. | |||||
CVE-2018-20725 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. | |||||
CVE-2018-20726 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 5.4 MEDIUM |
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. | |||||
CVE-2018-20724 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. | |||||
CVE-2018-20723 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. | |||||
CVE-2019-17357 | 1 Cacti | 1 Cacti | 2020-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery. | |||||
CVE-2020-7237 | 1 Cacti | 1 Cacti | 2020-02-18 | 9.0 HIGH | 8.8 HIGH |
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product. | |||||
CVE-2020-7058 | 1 Cacti | 1 Cacti | 2020-01-23 | 6.5 MEDIUM | 8.8 HIGH |
** DISPUTED ** data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm." | |||||
CVE-2019-16723 | 1 Cacti | 1 Cacti | 2019-12-19 | 4.0 MEDIUM | 4.3 MEDIUM |
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | |||||
CVE-2017-16660 | 1 Cacti | 1 Cacti | 2019-10-02 | 9.0 HIGH | 7.2 HIGH |
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | |||||
CVE-2017-12065 | 1 Cacti | 1 Cacti | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. | |||||
CVE-2017-11163 | 1 Cacti | 1 Cacti | 2019-05-03 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | |||||
CVE-2018-10059 | 1 Cacti | 1 Cacti | 2019-03-07 | 3.5 LOW | 5.4 MEDIUM |
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. | |||||
CVE-2014-2709 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2018-12-13 | 7.5 HIGH | N/A |
lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. | |||||
CVE-2014-2328 | 4 Cacti, Debian, Fedoraproject and 1 more | 4 Cacti, Debian Linux, Fedora and 1 more | 2018-12-13 | 6.5 MEDIUM | N/A |
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. | |||||
CVE-2014-2327 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-12-13 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. | |||||
CVE-2014-5026 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-10-30 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. | |||||
CVE-2014-5025 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-10-30 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. |