Cacti
Source repositories
CVEs (170)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7106 | 0.00 | — | 0.02 | Jan 16, 2020 | Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is… | |||
| CVE-2020-7058 | 0.00 | — | 0.02 | Jan 15, 2020 | data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm. | |||
| CVE-2019-17358 | 0.00 | — | 0.03 | Dec 12, 2019 | Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory… | |||
| CVE-2019-16723 | 0.00 | — | 0.01 | Sep 23, 2019 | In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | |||
| CVE-2019-11025 | 0.00 | — | 0.01 | Apr 8, 2019 | In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | |||
| CVE-2018-20725 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. | |||
| CVE-2018-20724 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. | |||
| CVE-2018-20723 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. | |||
| CVE-2018-20726 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. | |||
| CVE-2015-8369 | 0.00 | — | 0.02 | Dec 17, 2015 | SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php. | |||
| CVE-2015-8377 | 0.00 | — | 0.02 | Dec 15, 2015 | SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. | |||
| CVE-2015-4634 | 0.00 | — | 0.02 | Aug 11, 2015 | SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. | |||
| CVE-2015-2967 | 0.00 | — | 0.02 | Jul 10, 2015 | Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-4454 | 0.00 | — | 0.02 | Jun 17, 2015 | SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. | |||
| CVE-2015-4342 | 0.00 | — | 0.03 | Jun 17, 2015 | SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. | |||
| CVE-2015-2665 | 0.00 | — | 0.02 | Jun 17, 2015 | Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-0916 | 0.00 | — | 0.01 | May 22, 2015 | SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035. | |||
| CVE-2014-5026 | 0.00 | — | 0.02 | Oct 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host… | |||
| CVE-2014-5025 | 0.00 | — | 0.02 | Oct 20, 2014 | Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. | |||
| CVE-2014-5262 | 0.00 | — | 0.02 | Aug 22, 2014 | SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
- CVE-2020-7106Jan 16, 2020risk 0.00cvss —epss 0.02
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is…
- CVE-2020-7058Jan 15, 2020risk 0.00cvss —epss 0.02
data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.
- CVE-2019-17358Dec 12, 2019risk 0.00cvss —epss 0.03
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory…
- CVE-2019-16723Sep 23, 2019risk 0.00cvss —epss 0.01
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
- CVE-2019-11025Apr 8, 2019risk 0.00cvss —epss 0.01
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
- CVE-2018-20725Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
- CVE-2018-20724Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
- CVE-2018-20723Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
- CVE-2018-20726Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
- CVE-2015-8369Dec 17, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.
- CVE-2015-8377Dec 15, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action.
- CVE-2015-4634Aug 11, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.
- CVE-2015-2967Jul 10, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-4454Jun 17, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.
- CVE-2015-4342Jun 17, 2015risk 0.00cvss —epss 0.03
SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.
- CVE-2015-2665Jun 17, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-0916May 22, 2015risk 0.00cvss —epss 0.01
SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.
- CVE-2014-5026Oct 20, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host…
- CVE-2014-5025Oct 20, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.
- CVE-2014-5262Aug 22, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Page 7 of 9