Filtered by vendor Cacti
Subscriptions
Total
131 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46490 | 1 Cacti | 1 Cacti | 2024-11-21 | 6.5 Medium |
| SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. | ||||
| CVE-2023-37543 | 1 Cacti | 1 Cacti | 2024-11-21 | 7.5 High |
| Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. | ||||
| CVE-2022-48547 | 1 Cacti | 1 Cacti | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. | ||||
| CVE-2022-48538 | 1 Cacti | 1 Cacti | 2024-11-21 | 5.3 Medium |
| In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password. | ||||
| CVE-2022-41444 | 1 Cacti | 1 Cacti | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php. | ||||
| CVE-2022-0730 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2024-11-21 | 9.8 Critical |
| Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | ||||
| CVE-2021-3816 | 1 Cacti | 1 Cacti | 2024-11-21 | 5.4 Medium |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. | ||||
| CVE-2021-26247 | 1 Cacti | 1 Cacti | 2024-11-21 | 6.1 Medium |
| As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. | ||||
| CVE-2021-23225 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2024-11-21 | 5.4 Medium |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | ||||
| CVE-2020-8813 | 5 Cacti, Debian, Fedoraproject and 2 more | 6 Cacti, Debian Linux, Fedora and 3 more | 2024-11-21 | 8.8 High |
| graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. | ||||
| CVE-2020-7237 | 1 Cacti | 1 Cacti | 2024-11-21 | 8.8 High |
| Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product. | ||||
| CVE-2020-7106 | 5 Cacti, Debian, Fedoraproject and 2 more | 8 Cacti, Debian Linux, Extra Packages For Enterprise Linux and 5 more | 2024-11-21 | 6.1 Medium |
| Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). | ||||
| CVE-2020-7058 | 1 Cacti | 1 Cacti | 2024-11-21 | 8.8 High |
| data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm. | ||||
| CVE-2020-35701 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 8.8 High |
| An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | ||||
| CVE-2020-25706 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2024-11-21 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | ||||
| CVE-2020-23226 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2024-11-21 | 6.1 Medium |
| Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. | ||||
| CVE-2020-14424 | 1 Cacti | 1 Cacti | 2024-11-21 | 6.1 Medium |
| Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. | ||||
| CVE-2020-14295 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 7.2 High |
| A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | ||||
| CVE-2020-13231 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 6.5 Medium |
| In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | ||||
| CVE-2020-13230 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2024-11-21 | 4.3 Medium |
| In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | ||||