rpm package

suse/cacti-spine&distro=SUSE Package Hub 15 SP5

pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5

Vulnerabilities (33)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-34340	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat
CVE-2024-31460	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_a
CVE-2024-31459	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue w
CVE-2024-31458	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_g
CVE-2024-31445	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform
CVE-2024-31444	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `for
CVE-2024-31443	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib
CVE-2024-29894	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js
CVE-2024-27082	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who acces
CVE-2024-25641	—	< 1.2.27-bp155.2.9.1	1.2.27-bp155.2.9.1	May 13, 2024	Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP
CVE-2023-51448	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 22, 2023	Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission c
CVE-2023-50250	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 22, 2023	Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `te
CVE-2023-49088	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 22, 2023	Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious da
CVE-2023-49085	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 22, 2023	Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pol
CVE-2023-49086	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 21, 2023	Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability
CVE-2023-49084	—	< 1.2.26-bp155.2.6.1	1.2.26-bp155.2.6.1	Dec 21, 2023	Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitatio
CVE-2023-39511	—	< 1.2.25-bp155.2.3.1	1.2.25-bp155.2.3.1	Sep 6, 2023	Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by admin
CVE-2023-30534	—	< 1.2.25-bp155.2.3.1	1.2.25-bp155.2.3.1	Sep 5, 2023	Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making t
CVE-2023-39362	—	< 1.2.25-bp155.2.3.1	1.2.25-bp155.2.3.1	Sep 5, 2023	Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution
CVE-2023-39364	—	< 1.2.25-bp155.2.3.1	1.2.25-bp155.2.3.1	Sep 5, 2023	Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` a

CVE-2024-34340May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat
CVE-2024-31460May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_a
CVE-2024-31459May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue w
CVE-2024-31458May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_g
CVE-2024-31445May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform
CVE-2024-31444May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `for
CVE-2024-31443May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib
CVE-2024-29894May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js
CVE-2024-27082May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who acces
CVE-2024-25641May 13, 2024
affected < 1.2.27-bp155.2.9.1fixed 1.2.27-bp155.2.9.1
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP
CVE-2023-51448Dec 22, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission c
CVE-2023-50250Dec 22, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `te
CVE-2023-49088Dec 22, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious da
CVE-2023-49085Dec 22, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pol
CVE-2023-49086Dec 21, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability
CVE-2023-49084Dec 21, 2023
affected < 1.2.26-bp155.2.6.1fixed 1.2.26-bp155.2.6.1
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitatio
CVE-2023-39511Sep 6, 2023
affected < 1.2.25-bp155.2.3.1fixed 1.2.25-bp155.2.3.1
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by admin
CVE-2023-30534Sep 5, 2023
affected < 1.2.25-bp155.2.3.1fixed 1.2.25-bp155.2.3.1
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making t
CVE-2023-39362Sep 5, 2023
affected < 1.2.25-bp155.2.3.1fixed 1.2.25-bp155.2.3.1
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution
CVE-2023-39364Sep 5, 2023
affected < 1.2.25-bp155.2.3.1fixed 1.2.25-bp155.2.3.1
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` a

Page 1 of 2