Cacti
Source repositories
CVEs (170)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-43362 | 0.00 | — | 0.35 | Oct 7, 2024 | Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and… | |||
| CVE-2024-34340 | 0.00 | — | 0.01 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls… | |||
| CVE-2024-31460 | 0.00 | — | 0.02 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from… | |||
| CVE-2024-31459 | 0.00 | — | 0.03 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue… | |||
| CVE-2024-31458 | 0.00 | — | 0.13 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in… | |||
| CVE-2024-31443 | 0.00 | — | 0.01 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from… | |||
| CVE-2024-29894 | 0.00 | — | 0.01 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js… | |||
| CVE-2024-27082 | 0.00 | — | 0.01 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who… | |||
| CVE-2023-50250 | 0.00 | — | 0.01 | Dec 22, 2023 | Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in… | |||
| CVE-2023-49088 | 0.00 | — | 0.01 | Dec 22, 2023 | Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious… | |||
| CVE-2023-49086 | 0.00 | — | 0.01 | Dec 21, 2023 | Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the… | |||
| CVE-2023-46490 | 0.00 | — | 0.01 | Oct 27, 2023 | SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. | |||
| CVE-2023-39511 | 0.00 | — | 0.01 | Sep 6, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-31132 | 0.00 | — | 0.00 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a privilege escalation vulnerability. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document… | |||
| CVE-2023-39364 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref`… | |||
| CVE-2023-39516 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39365 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version… | |||
| CVE-2023-39357 | 0.00 | — | 0.02 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not… | |||
| CVE-2023-39358 | 0.00 | — | 0.02 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the… | |||
| CVE-2023-39359 | 0.00 | — | 0.02 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php`… |
- CVE-2024-43362Oct 7, 2024risk 0.00cvss —epss 0.35
Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and…
- CVE-2024-34340May 13, 2024risk 0.00cvss —epss 0.01
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls…
- CVE-2024-31460May 13, 2024risk 0.00cvss —epss 0.02
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from…
- CVE-2024-31459May 13, 2024risk 0.00cvss —epss 0.03
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue…
- CVE-2024-31458May 13, 2024risk 0.00cvss —epss 0.13
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in…
- CVE-2024-31443May 13, 2024risk 0.00cvss —epss 0.01
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from…
- CVE-2024-29894May 13, 2024risk 0.00cvss —epss 0.01
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js…
- CVE-2024-27082May 13, 2024risk 0.00cvss —epss 0.01
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who…
- CVE-2023-50250Dec 22, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in…
- CVE-2023-49088Dec 22, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious…
- CVE-2023-49086Dec 21, 2023risk 0.00cvss —epss 0.01
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the…
- CVE-2023-46490Oct 27, 2023risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.
- CVE-2023-39511Sep 6, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-31132Sep 5, 2023risk 0.00cvss —epss 0.00
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a privilege escalation vulnerability. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document…
- CVE-2023-39364Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref`…
- CVE-2023-39516Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39365Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version…
- CVE-2023-39357Sep 5, 2023risk 0.00cvss —epss 0.02
Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not…
- CVE-2023-39358Sep 5, 2023risk 0.00cvss —epss 0.02
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the…
- CVE-2023-39359Sep 5, 2023risk 0.00cvss —epss 0.02
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php`…
Page 5 of 9