rpm package
opensuse/cacti&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweed
Vulnerabilities (87)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-0540 | — | < 1.2.30+git306.82d5aef5-1.1 | 1.2.30+git306.82d5aef5-1.1 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F | ||
| CVE-2026-1513 | — | < 1.2.30+git231.bca15e70c-1.1 | 1.2.30+git231.bca15e70c-1.1 | Jan 28, 2026 | billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | ||
| CVE-2024-34340 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat | ||
| CVE-2024-31460 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_a | ||
| CVE-2024-31459 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue w | ||
| CVE-2024-31458 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_g | ||
| CVE-2024-31445 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform | ||
| CVE-2024-31444 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `for | ||
| CVE-2024-31443 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib | ||
| CVE-2024-29894 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js | ||
| CVE-2024-27082 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who acces | ||
| CVE-2024-25641 | — | < 1.2.27-1.1 | 1.2.27-1.1 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP | ||
| CVE-2024-27355 | — | < 1.2.30+git457.e55c2aea-1.1 | 1.2.30+git457.e55c2aea-1.1 | Mar 1, 2024 | An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID). | ||
| CVE-2023-51448 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 22, 2023 | Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission c | ||
| CVE-2023-50250 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 22, 2023 | Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `te | ||
| CVE-2023-49088 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 22, 2023 | Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious da | ||
| CVE-2023-49085 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 22, 2023 | Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pol | ||
| CVE-2023-49086 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 21, 2023 | Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability | ||
| CVE-2023-49084 | — | < 1.2.26-1.1 | 1.2.26-1.1 | Dec 21, 2023 | Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitatio | ||
| CVE-2023-39511 | — | < 1.2.25-2.1 | 1.2.25-2.1 | Sep 6, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by admin |
- CVE-2026-0540Mar 3, 2026affected < 1.2.30+git306.82d5aef5-1.1fixed 1.2.30+git306.82d5aef5-1.1
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F
- CVE-2026-1513Jan 28, 2026affected < 1.2.30+git231.bca15e70c-1.1fixed 1.2.30+git231.bca15e70c-1.1
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
- CVE-2024-34340May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat
- CVE-2024-31460May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_a
- CVE-2024-31459May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue w
- CVE-2024-31458May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_g
- CVE-2024-31445May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform
- CVE-2024-31444May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `for
- CVE-2024-31443May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib
- CVE-2024-29894May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js
- CVE-2024-27082May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who acces
- CVE-2024-25641May 13, 2024affected < 1.2.27-1.1fixed 1.2.27-1.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP
- CVE-2024-27355Mar 1, 2024affected < 1.2.30+git457.e55c2aea-1.1fixed 1.2.30+git457.e55c2aea-1.1
An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).
- CVE-2023-51448Dec 22, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission c
- CVE-2023-50250Dec 22, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `te
- CVE-2023-49088Dec 22, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious da
- CVE-2023-49085Dec 22, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pol
- CVE-2023-49086Dec 21, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability
- CVE-2023-49084Dec 21, 2023affected < 1.2.26-1.1fixed 1.2.26-1.1
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitatio
- CVE-2023-39511Sep 6, 2023affected < 1.2.25-2.1fixed 1.2.25-2.1
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by admin
Page 1 of 5