VYPR

Vendor CVEs

Cacti (software)

All CVEs

171 total · sorted by risk
  • CVE-2023-39359Sep 5, 2023
    risk 0.00cvss epss 0.02

    Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the `graphs.php`…

  • CVE-2023-39360Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are…

  • CVE-2023-39366Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…

  • CVE-2023-39510Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…

  • CVE-2023-39512Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…

  • CVE-2023-39513Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…

  • CVE-2023-39515Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by…

  • CVE-2023-39514Sep 5, 2023
    risk 0.00cvss epss 0.01

    Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by…

  • CVE-2022-48547Aug 22, 2023
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.

  • CVE-2022-41444Aug 22, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.

  • CVE-2022-48538Aug 22, 2023
    risk 0.00cvss epss 0.01

    In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.

  • CVE-2023-37543Aug 10, 2023
    risk 0.00cvss epss 0.01

    Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.

  • CVE-2022-0730Mar 3, 2022
    risk 0.00cvss epss 0.03

    Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

  • CVE-2021-23225Jan 19, 2022
    risk 0.00cvss epss 0.01

    Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.

  • CVE-2021-3816Jan 19, 2022
    risk 0.00cvss epss 0.01

    Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.

  • CVE-2020-14424Nov 14, 2021
    risk 0.00cvss epss 0.02

    Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.

  • CVE-2020-23226Aug 27, 2021
    risk 0.00cvss epss 0.02

    Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.

  • CVE-2020-35701Jan 11, 2021
    risk 0.00cvss epss 0.05

    An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

  • CVE-2020-25706Nov 12, 2020
    risk 0.00cvss epss 0.03

    A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field

  • CVE-2020-13231May 20, 2020
    risk 0.00cvss epss 0.01

    In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.

  • CVE-2020-13230May 20, 2020
    risk 0.00cvss epss 0.01

    In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).

  • CVE-2020-7106Jan 16, 2020
    risk 0.00cvss epss 0.02

    Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is…

  • CVE-2020-7058Jan 15, 2020
    risk 0.00cvss epss 0.02

    data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.

  • CVE-2019-17358Dec 12, 2019
    risk 0.00cvss epss 0.03

    Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory…

  • CVE-2019-16723Sep 23, 2019
    risk 0.00cvss epss 0.01

    In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

  • CVE-2019-11025Apr 8, 2019
    risk 0.00cvss epss 0.01

    In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

  • CVE-2018-20725Jan 16, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.

  • CVE-2018-20724Jan 16, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.

  • CVE-2018-20723Jan 16, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.

  • CVE-2018-20726Jan 16, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.

  • CVE-2015-8369Dec 17, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.

  • CVE-2015-8377Dec 15, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action.

  • CVE-2015-4634Aug 11, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.

  • CVE-2015-2967Jul 10, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2015-4454Jun 17, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.

  • CVE-2015-4342Jun 17, 2015
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.

  • CVE-2015-2665Jun 17, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2015-0916May 22, 2015
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.

  • CVE-2014-5026Oct 20, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host…

  • CVE-2014-5025Oct 20, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.

  • CVE-2014-5262Aug 22, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-4002Jul 3, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6)…

  • CVE-2014-2709Apr 23, 2014
    risk 0.00cvss epss 0.05

    lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters.

  • CVE-2014-2328Apr 23, 2014
    risk 0.00cvss epss 0.04

    lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.

  • CVE-2014-2327Apr 23, 2014
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary…

  • CVE-2014-2708Apr 10, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7)…

  • CVE-2014-2326Mar 27, 2014
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2013-5589Aug 29, 2013
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2013-5588Aug 29, 2013
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.

  • CVE-2013-1435Aug 23, 2013
    risk 0.00cvss epss 0.02

    (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.