Filtered by vendor Cacti
Subscriptions
Filtered by product Cacti
Subscriptions
Total
115 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-48538 | 1 Cacti | 1 Cacti | 2023-08-28 | 5.3 Medium |
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | ||||
CVE-2022-48547 | 1 Cacti | 1 Cacti | 2023-08-25 | 6.1 Medium |
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. | ||||
CVE-2022-41444 | 1 Cacti | 1 Cacti | 2023-08-25 | 6.1 Medium |
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php. | ||||
CVE-2020-23226 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2023-02-24 | 6.1 Medium |
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. | ||||
CVE-2010-1644 | 1 Cacti | 1 Cacti | 2023-02-13 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php. | ||||
CVE-2010-2545 | 1 Cacti | 1 Cacti | 2023-02-13 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via (1) the name element in an XML template to templates_import.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via vectors related to (2) cdef.php, (3) data_input.php, (4) data_queries.php, (5) data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8) graph.php, (9) graphs_new.php, (10) graphs.php, (11) graph_templates_inputs.php, (12) graph_templates_items.php, (13) graph_templates.php, (14) graph_view.php, (15) host.php, (16) host_templates.php, (17) lib/functions.php, (18) lib/html_form.php, (19) lib/html_form_template.php, (20) lib/html.php, (21) lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and (25) user_admin.php. | ||||
CVE-2010-2544 | 1 Cacti | 1 Cacti | 2023-02-13 | N/A |
Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. | ||||
CVE-2009-4032 | 1 Cacti | 1 Cacti | 2023-02-13 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php. | ||||
CVE-2022-0730 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2023-02-12 | 9.8 Critical |
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | ||||
CVE-2017-16660 | 1 Cacti | 1 Cacti | 2022-10-03 | N/A |
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | ||||
CVE-2017-16661 | 1 Cacti | 1 Cacti | 2022-10-03 | N/A |
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. | ||||
CVE-2017-16641 | 1 Cacti | 1 Cacti | 2022-10-03 | N/A |
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. | ||||
CVE-2021-23225 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 5.4 Medium |
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | ||||
CVE-2019-11025 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 5.4 Medium |
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | ||||
CVE-2018-10061 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 5.4 Medium |
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). | ||||
CVE-2018-10060 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 5.4 Medium |
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. | ||||
CVE-2021-26247 | 1 Cacti | 1 Cacti | 2022-01-25 | 6.1 Medium |
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. | ||||
CVE-2021-3816 | 1 Cacti | 1 Cacti | 2022-01-25 | 5.4 Medium |
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | ||||
CVE-2020-14424 | 1 Cacti | 1 Cacti | 2021-11-16 | 6.1 Medium |
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | ||||
CVE-2019-17358 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Leap | 2020-08-24 | 8.1 High |
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. |