Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Cacti Subscribe
Total 86 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-4002 2 Cacti, Opensuse 2 Cacti, Opensuse 2018-10-30 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.
CVE-2013-5588 2 Cacti, Opensuse 2 Cacti, Opensuse 2018-10-30 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.
CVE-2013-5589 3 Cacti, Debian, Opensuse 3 Cacti, Debian Linux, Opensuse 2018-10-30 7.5 HIGH N/A
SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2014-2326 4 Cacti, Debian, Fedoraproject and 1 more 4 Cacti, Debian Linux, Fedora and 1 more 2018-10-30 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-5026 3 Cacti, Debian, Opensuse 3 Cacti, Debian Linux, Opensuse 2018-10-30 3.5 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action.
CVE-2008-0784 1 Cacti 1 Cacti 2018-10-15 5.0 MEDIUM N/A
graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors.
CVE-2008-0785 1 Cacti 1 Cacti 2018-10-15 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login.
CVE-2008-0786 1 Cacti 1 Cacti 2018-10-15 4.3 MEDIUM N/A
CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2008-0783 1 Cacti 1 Cacti 2018-10-15 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php.
CVE-2009-4112 1 Cacti 1 Cacti 2018-10-10 9.0 HIGH N/A
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
CVE-2016-10700 1 Cacti 1 Cacti 2017-12-11 6.5 MEDIUM 8.8 HIGH
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313.
CVE-2014-4000 1 Cacti 1 Cacti 2017-11-29 6.5 MEDIUM 8.8 HIGH
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
CVE-2017-16641 1 Cacti 1 Cacti 2017-11-28 9.0 HIGH 7.2 HIGH
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.
CVE-2017-16661 1 Cacti 1 Cacti 2017-11-28 4.0 MEDIUM 4.9 MEDIUM
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
CVE-2017-16785 1 Cacti 1 Cacti 2017-11-27 4.3 MEDIUM 6.1 MEDIUM
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
CVE-2015-4342 2 Cacti, Fedoraproject 2 Cacti, Fedora 2017-11-07 7.5 HIGH N/A
SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.
CVE-2015-4454 2 Cacti, Fedoraproject 2 Cacti, Fedora 2017-11-03 7.5 HIGH N/A
SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.
CVE-2015-2665 2 Cacti, Fedoraproject 2 Cacti, Fedora 2017-11-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-15194 1 Cacti 1 Cacti 2017-10-20 4.3 MEDIUM 6.1 MEDIUM
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
CVE-2015-4634 1 Cacti 1 Cacti 2017-09-21 7.5 HIGH N/A
SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.