Vendor CVEs
Cacti (software)
All CVEs
171 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-39359 | 0.00 | — | 0.02 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php`… | |||
| CVE-2023-39360 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are… | |||
| CVE-2023-39366 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39510 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39512 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39513 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2023-39515 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by… | |||
| CVE-2023-39514 | 0.00 | — | 0.01 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by… | |||
| CVE-2022-48547 | 0.00 | — | 0.01 | Aug 22, 2023 | A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. | |||
| CVE-2022-41444 | 0.00 | — | 0.01 | Aug 22, 2023 | Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php. | |||
| CVE-2022-48538 | 0.00 | — | 0.01 | Aug 22, 2023 | In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | |||
| CVE-2023-37543 | 0.00 | — | 0.01 | Aug 10, 2023 | Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. | |||
| CVE-2022-0730 | 0.00 | — | 0.03 | Mar 3, 2022 | Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | |||
| CVE-2021-23225 | 0.00 | — | 0.01 | Jan 19, 2022 | Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | |||
| CVE-2021-3816 | 0.00 | — | 0.01 | Jan 19, 2022 | Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | |||
| CVE-2020-14424 | 0.00 | — | 0.02 | Nov 14, 2021 | Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | |||
| CVE-2020-23226 | 0.00 | — | 0.02 | Aug 27, 2021 | Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. | |||
| CVE-2020-35701 | 0.00 | — | 0.05 | Jan 11, 2021 | An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | |||
| CVE-2020-25706 | 0.00 | — | 0.03 | Nov 12, 2020 | A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | |||
| CVE-2020-13231 | 0.00 | — | 0.01 | May 20, 2020 | In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | |||
| CVE-2020-13230 | 0.00 | — | 0.01 | May 20, 2020 | In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | |||
| CVE-2020-7106 | 0.00 | — | 0.02 | Jan 16, 2020 | Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is… | |||
| CVE-2020-7058 | 0.00 | — | 0.02 | Jan 15, 2020 | data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm. | |||
| CVE-2019-17358 | 0.00 | — | 0.03 | Dec 12, 2019 | Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory… | |||
| CVE-2019-16723 | 0.00 | — | 0.01 | Sep 23, 2019 | In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | |||
| CVE-2019-11025 | 0.00 | — | 0.01 | Apr 8, 2019 | In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | |||
| CVE-2018-20725 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. | |||
| CVE-2018-20724 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. | |||
| CVE-2018-20723 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. | |||
| CVE-2018-20726 | 0.00 | — | 0.01 | Jan 16, 2019 | A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. | |||
| CVE-2015-8369 | 0.00 | — | 0.02 | Dec 17, 2015 | SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php. | |||
| CVE-2015-8377 | 0.00 | — | 0.02 | Dec 15, 2015 | SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. | |||
| CVE-2015-4634 | 0.00 | — | 0.02 | Aug 11, 2015 | SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. | |||
| CVE-2015-2967 | 0.00 | — | 0.02 | Jul 10, 2015 | Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-4454 | 0.00 | — | 0.02 | Jun 17, 2015 | SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. | |||
| CVE-2015-4342 | 0.00 | — | 0.03 | Jun 17, 2015 | SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. | |||
| CVE-2015-2665 | 0.00 | — | 0.02 | Jun 17, 2015 | Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-0916 | 0.00 | — | 0.01 | May 22, 2015 | SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035. | |||
| CVE-2014-5026 | 0.00 | — | 0.02 | Oct 20, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host… | |||
| CVE-2014-5025 | 0.00 | — | 0.02 | Oct 20, 2014 | Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. | |||
| CVE-2014-5262 | 0.00 | — | 0.02 | Aug 22, 2014 | SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2014-4002 | 0.00 | — | 0.02 | Jul 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6)… | |||
| CVE-2014-2709 | 0.00 | — | 0.05 | Apr 23, 2014 | lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. | |||
| CVE-2014-2328 | 0.00 | — | 0.04 | Apr 23, 2014 | lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. | |||
| CVE-2014-2327 | 0.00 | — | 0.02 | Apr 23, 2014 | Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary… | |||
| CVE-2014-2708 | 0.00 | — | 0.02 | Apr 10, 2014 | Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7)… | |||
| CVE-2014-2326 | 0.00 | — | 0.03 | Mar 27, 2014 | Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2013-5589 | 0.00 | — | 0.02 | Aug 29, 2013 | SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2013-5588 | 0.00 | — | 0.01 | Aug 29, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php. | |||
| CVE-2013-1435 | 0.00 | — | 0.02 | Aug 23, 2013 | (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. |
- CVE-2023-39359Sep 5, 2023risk 0.00cvss —epss 0.02
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php`…
- CVE-2023-39360Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are…
- CVE-2023-39366Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39510Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39512Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39513Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2023-39515Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by…
- CVE-2023-39514Sep 5, 2023risk 0.00cvss —epss 0.01
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…
- CVE-2022-48547Aug 22, 2023risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.
- CVE-2022-41444Aug 22, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.
- CVE-2022-48538Aug 22, 2023risk 0.00cvss —epss 0.01
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
- CVE-2023-37543Aug 10, 2023risk 0.00cvss —epss 0.01
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
- CVE-2022-0730Mar 3, 2022risk 0.00cvss —epss 0.03
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
- CVE-2021-23225Jan 19, 2022risk 0.00cvss —epss 0.01
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
- CVE-2021-3816Jan 19, 2022risk 0.00cvss —epss 0.01
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.
- CVE-2020-14424Nov 14, 2021risk 0.00cvss —epss 0.02
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
- CVE-2020-23226Aug 27, 2021risk 0.00cvss —epss 0.02
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
- CVE-2020-35701Jan 11, 2021risk 0.00cvss —epss 0.05
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
- CVE-2020-25706Nov 12, 2020risk 0.00cvss —epss 0.03
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
- CVE-2020-13231May 20, 2020risk 0.00cvss —epss 0.01
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
- CVE-2020-13230May 20, 2020risk 0.00cvss —epss 0.01
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
- CVE-2020-7106Jan 16, 2020risk 0.00cvss —epss 0.02
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is…
- CVE-2020-7058Jan 15, 2020risk 0.00cvss —epss 0.02
data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.
- CVE-2019-17358Dec 12, 2019risk 0.00cvss —epss 0.03
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory…
- CVE-2019-16723Sep 23, 2019risk 0.00cvss —epss 0.01
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
- CVE-2019-11025Apr 8, 2019risk 0.00cvss —epss 0.01
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
- CVE-2018-20725Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
- CVE-2018-20724Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
- CVE-2018-20723Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
- CVE-2018-20726Jan 16, 2019risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
- CVE-2015-8369Dec 17, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.
- CVE-2015-8377Dec 15, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action.
- CVE-2015-4634Aug 11, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.
- CVE-2015-2967Jul 10, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-4454Jun 17, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.
- CVE-2015-4342Jun 17, 2015risk 0.00cvss —epss 0.03
SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.
- CVE-2015-2665Jun 17, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-0916May 22, 2015risk 0.00cvss —epss 0.01
SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.
- CVE-2014-5026Oct 20, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host…
- CVE-2014-5025Oct 20, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.
- CVE-2014-5262Aug 22, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2014-4002Jul 3, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6)…
- CVE-2014-2709Apr 23, 2014risk 0.00cvss —epss 0.05
lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters.
- CVE-2014-2328Apr 23, 2014risk 0.00cvss —epss 0.04
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.
- CVE-2014-2327Apr 23, 2014risk 0.00cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary…
- CVE-2014-2708Apr 10, 2014risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7)…
- CVE-2014-2326Mar 27, 2014risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-5589Aug 29, 2013risk 0.00cvss —epss 0.02
SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2013-5588Aug 29, 2013risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.
- CVE-2013-1435Aug 23, 2013risk 0.00cvss —epss 0.02
(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
Page 3 of 4