rpm package
suse/cacti-spine&distro=SUSE Package Hub 12
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012
Vulnerabilities (52)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11023 | — | KEV | < 1.2.13-8.1 | 1.2.13-8.1 | Apr 29, 2020 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro | |
| CVE-2020-8813 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Feb 22, 2020 | graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. | ||
| CVE-2019-17357 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 21, 2020 | Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data f | ||
| CVE-2020-7237 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 20, 2020 | Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify t | ||
| CVE-2020-7106 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 16, 2020 | Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displa | ||
| CVE-2019-17358 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Dec 12, 2019 | Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory co | ||
| CVE-2019-16723 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Sep 23, 2019 | In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | ||
| CVE-2018-20726 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. | ||
| CVE-2018-20725 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. | ||
| CVE-2018-20724 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. | ||
| CVE-2018-20723 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. | ||
| CVE-2009-4112 | — | < 1.2.11-2.1 | 1.2.11-2.1 | Nov 30, 2009 | Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands. |
- affected < 1.2.13-8.1fixed 1.2.13-8.1
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
- CVE-2020-8813Feb 22, 2020affected < 1.2.11-2.1fixed 1.2.11-2.1
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
- CVE-2019-17357Jan 21, 2020affected < 1.2.11-2.1fixed 1.2.11-2.1
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data f
- CVE-2020-7237Jan 20, 2020affected < 1.2.11-2.1fixed 1.2.11-2.1
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify t
- CVE-2020-7106Jan 16, 2020affected < 1.2.11-2.1fixed 1.2.11-2.1
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displa
- CVE-2019-17358Dec 12, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory co
- CVE-2019-16723Sep 23, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
- CVE-2018-20726Jan 16, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
- CVE-2018-20725Jan 16, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
- CVE-2018-20724Jan 16, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
- CVE-2018-20723Jan 16, 2019affected < 1.2.11-2.1fixed 1.2.11-2.1
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
- CVE-2009-4112Nov 30, 2009affected < 1.2.11-2.1fixed 1.2.11-2.1
Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.
Page 3 of 3