rpm package
opensuse/cacti&distro=openSUSE Leap 15.2
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.2
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-14424 | — | < 1.2.18-bp153.2.3.1 | 1.2.18-bp153.2.3.1 | Nov 14, 2021 | Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | ||
| CVE-2020-35701 | — | < 1.2.17-20.1 | 1.2.17-20.1 | Jan 11, 2021 | An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | ||
| CVE-2020-14295 | — | < 1.2.13-11.1 | 1.2.13-11.1 | Jun 17, 2020 | A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | ||
| CVE-2020-13625 | — | < 1.2.13-11.1 | 1.2.13-11.1 | Jun 8, 2020 | PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. | ||
| CVE-2020-11022 | Med | 6.9 | < 1.2.13-11.1 | 1.2.13-11.1 | Apr 29, 2020 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |
| CVE-2020-11023 | — | KEV | < 1.2.13-11.1 | 1.2.13-11.1 | Apr 29, 2020 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro |
- CVE-2020-14424Nov 14, 2021affected < 1.2.18-bp153.2.3.1fixed 1.2.18-bp153.2.3.1
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
- CVE-2020-35701Jan 11, 2021affected < 1.2.17-20.1fixed 1.2.17-20.1
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
- CVE-2020-14295Jun 17, 2020affected < 1.2.13-11.1fixed 1.2.13-11.1
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
- CVE-2020-13625Jun 8, 2020affected < 1.2.13-11.1fixed 1.2.13-11.1
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
- affected < 1.2.13-11.1fixed 1.2.13-11.1
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
- affected < 1.2.13-11.1fixed 1.2.13-11.1
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro