Filtered by vendor Cacti
Subscribe
Search
Total
110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16660 | 1 Cacti | 1 Cacti | 2019-10-03 | 9.0 HIGH | 7.2 HIGH |
| Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | |||||
| CVE-2017-12065 | 1 Cacti | 1 Cacti | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. | |||||
| CVE-2017-11163 | 1 Cacti | 1 Cacti | 2019-05-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | |||||
| CVE-2018-10059 | 1 Cacti | 1 Cacti | 2019-03-07 | 3.5 LOW | 5.4 MEDIUM |
| Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. | |||||
| CVE-2014-2709 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2018-12-13 | 7.5 HIGH | N/A |
| lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. | |||||
| CVE-2014-2327 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-12-13 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. | |||||
| CVE-2014-2328 | 4 Cacti, Debian, Fedoraproject and 1 more | 4 Cacti, Debian Linux, Fedora and 1 more | 2018-12-13 | 6.5 MEDIUM | N/A |
| lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. | |||||
| CVE-2016-2313 | 2 Cacti, Opensuse | 3 Cacti, Leap, Opensuse | 2018-10-30 | 6.5 MEDIUM | 8.8 HIGH |
| auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. | |||||
| CVE-2013-5588 | 2 Cacti, Opensuse | 2 Cacti, Opensuse | 2018-10-30 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php. | |||||
| CVE-2013-5589 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-10-30 | 7.5 HIGH | N/A |
| SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2014-2326 | 4 Cacti, Debian, Fedoraproject and 1 more | 4 Cacti, Debian Linux, Fedora and 1 more | 2018-10-30 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-4002 | 2 Cacti, Opensuse | 2 Cacti, Opensuse | 2018-10-30 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. | |||||
| CVE-2014-5025 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-10-30 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. | |||||
| CVE-2014-5026 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Opensuse | 2018-10-30 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. | |||||
| CVE-2008-0785 | 1 Cacti | 1 Cacti | 2018-10-15 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login. | |||||
| CVE-2008-0786 | 1 Cacti | 1 Cacti | 2018-10-15 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2008-0784 | 1 Cacti | 1 Cacti | 2018-10-15 | 5.0 MEDIUM | N/A |
| graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors. | |||||
| CVE-2008-0783 | 1 Cacti | 1 Cacti | 2018-10-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php. | |||||
| CVE-2009-4112 | 1 Cacti | 1 Cacti | 2018-10-10 | 9.0 HIGH | N/A |
| Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands. | |||||
| CVE-2009-4032 | 1 Cacti | 1 Cacti | 2018-10-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php. | |||||
| CVE-2016-10700 | 1 Cacti | 1 Cacti | 2017-12-11 | 6.5 MEDIUM | 8.8 HIGH |
| auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313. | |||||
| CVE-2014-4000 | 1 Cacti | 1 Cacti | 2017-11-29 | 6.5 MEDIUM | 8.8 HIGH |
| Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). | |||||
| CVE-2017-16641 | 1 Cacti | 1 Cacti | 2017-11-28 | 9.0 HIGH | 7.2 HIGH |
| lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. | |||||
| CVE-2017-16661 | 1 Cacti | 1 Cacti | 2017-11-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. | |||||
| CVE-2017-16785 | 1 Cacti | 1 Cacti | 2017-11-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. | |||||
| CVE-2015-4342 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2017-11-08 | 7.5 HIGH | N/A |
| SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. | |||||
| CVE-2015-2665 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2017-11-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-4454 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2017-11-04 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. | |||||
| CVE-2017-15194 | 1 Cacti | 1 Cacti | 2017-10-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. | |||||
| CVE-2015-4634 | 1 Cacti | 1 Cacti | 2017-09-22 | 7.5 HIGH | N/A |
| SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. | |||||
| CVE-2014-5261 | 1 Cacti | 1 Cacti | 2017-09-08 | 7.5 HIGH | N/A |
| The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php. | |||||
| CVE-2014-5262 | 1 Cacti | 1 Cacti | 2017-09-08 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2014-2708 | 1 Cacti | 1 Cacti | 2017-08-29 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter. | |||||
| CVE-2011-5223 | 1 Cacti | 1 Cacti | 2017-08-29 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2011-4824 | 1 Cacti | 1 Cacti | 2017-08-29 | 7.5 HIGH | N/A |
| SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter. | |||||
| CVE-2017-12978 | 1 Cacti | 1 Cacti | 2017-08-27 | 3.5 LOW | 5.4 MEDIUM |
| lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. | |||||
| CVE-2017-12927 | 1 Cacti | 1 Cacti | 2017-08-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. | |||||
| CVE-2010-2545 | 1 Cacti | 1 Cacti | 2017-08-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via (1) the name element in an XML template to templates_import.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via vectors related to (2) cdef.php, (3) data_input.php, (4) data_queries.php, (5) data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8) graph.php, (9) graphs_new.php, (10) graphs.php, (11) graph_templates_inputs.php, (12) graph_templates_items.php, (13) graph_templates.php, (14) graph_view.php, (15) host.php, (16) host_templates.php, (17) lib/functions.php, (18) lib/html_form.php, (19) lib/html_form_template.php, (20) lib/html.php, (21) lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and (25) user_admin.php. | |||||
| CVE-2010-2544 | 1 Cacti | 1 Cacti | 2017-08-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. | |||||
| CVE-2017-11691 | 1 Cacti | 1 Cacti | 2017-08-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. | |||||
| CVE-2017-12066 | 1 Cacti | 1 Cacti | 2017-08-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163. | |||||
| CVE-2007-6035 | 1 Cacti | 1 Cacti | 2017-07-29 | 7.5 HIGH | N/A |
| SQL injection vulnerability in graph.php in Cacti before 0.8.7a allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. | |||||
| CVE-2017-1000032 | 1 Cacti | 1 Cacti | 2017-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. | |||||
| CVE-2017-1000031 | 1 Cacti | 1 Cacti | 2017-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. | |||||
| CVE-2017-10970 | 1 Cacti | 1 Cacti | 2017-07-17 | 4.3 MEDIUM | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php. | |||||
| CVE-2015-2967 | 1 Cacti | 1 Cacti | 2016-12-22 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-1434 | 1 Cacti | 1 Cacti | 2016-12-08 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2015-8377 | 1 Cacti | 1 Cacti | 2016-12-07 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action. | |||||
| CVE-2015-8369 | 1 Cacti | 1 Cacti | 2016-12-07 | 7.5 HIGH | N/A |
| SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php. | |||||
| CVE-2015-8604 | 1 Cacti | 1 Cacti | 2016-12-03 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action. | |||||