Cacti
Source repositories
CVEs (170)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-39360 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are… | |||
| CVE-2023-39366 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39510 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39512 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39513 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39515 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by… | |||
| CVE-2023-39514 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2022-41444 | 0.00 | — | 0.01 | Aug 22, 2023 | Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php. | |||
| CVE-2022-48547 | 0.00 | — | 0.01 | Aug 22, 2023 | A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. | |||
| CVE-2022-48538 | 0.00 | — | 0.01 | Aug 22, 2023 | In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | |||
| CVE-2023-37543 | 0.00 | — | 0.01 | Aug 10, 2023 | Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. | |||
| CVE-2022-0730 | 0.00 | — | 0.03 | Mar 3, 2022 | Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | |||
| CVE-2021-23225 | 0.00 | — | 0.01 | Jan 19, 2022 | Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | |||
| CVE-2021-3816 | 0.00 | — | 0.01 | Jan 19, 2022 | Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | |||
| CVE-2020-14424 | 0.00 | — | 0.02 | Nov 14, 2021 | Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | |||
| CVE-2020-23226 | 0.00 | — | 0.02 | Aug 27, 2021 | Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. | |||
| CVE-2020-35701 | 0.00 | — | 0.05 | Jan 11, 2021 | An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | |||
| CVE-2020-25706 | 0.00 | — | 0.03 | Nov 12, 2020 | A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | |||
| CVE-2020-13231 | 0.00 | — | 0.01 | May 20, 2020 | In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | |||
| CVE-2020-13230 | 0.00 | — | 0.01 | May 20, 2020 | In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). |
- CVE-2023-39360Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are…
- CVE-2023-39366Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39510Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39512Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39513Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39515Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by…
- CVE-2023-39514Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2022-41444Aug 22, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.
- CVE-2022-48547Aug 22, 2023risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.
- CVE-2022-48538Aug 22, 2023risk 0.00cvss —epss 0.01
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
- CVE-2023-37543Aug 10, 2023risk 0.00cvss —epss 0.01
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
- CVE-2022-0730Mar 3, 2022risk 0.00cvss —epss 0.03
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
- CVE-2021-23225Jan 19, 2022risk 0.00cvss —epss 0.01
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
- CVE-2021-3816Jan 19, 2022risk 0.00cvss —epss 0.01
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.
- CVE-2020-14424Nov 14, 2021risk 0.00cvss —epss 0.02
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
- CVE-2020-23226Aug 27, 2021risk 0.00cvss —epss 0.02
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
- CVE-2020-35701Jan 11, 2021risk 0.00cvss —epss 0.05
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
- CVE-2020-25706Nov 12, 2020risk 0.00cvss —epss 0.03
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
- CVE-2020-13231May 20, 2020risk 0.00cvss —epss 0.01
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
- CVE-2020-13230May 20, 2020risk 0.00cvss —epss 0.01
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
Page 6 of 9