Cacti Security Vulnerabilities
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
9.8CVSS
9.6AI Score
0.032EPSS
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete ...
5.4CVSS
6.4AI Score
0.001EPSS
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
6.1CVSS
5.7AI Score
0.009EPSS
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
5.4CVSS
5.3AI Score
0.001EPSS
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
6.1CVSS
5.7AI Score
0.001EPSS
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.
7.2CVSS
7AI Score
0.005EPSS
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
7.2CVSS
6.9AI Score
0.003EPSS
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
4.9CVSS
5.5AI Score
0.002EPSS
6.1CVSS
6AI Score
0.001EPSS
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
5.4CVSS
5.1AI Score
0.001EPSS
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
5.4CVSS
5.4AI Score
0.001EPSS
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
5.4CVSS
5.4AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
4.8CVSS
5.8AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
4.8CVSS
5.8AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
4.8CVSS
5.8AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
5.4CVSS
6.1AI Score
0.001EPSS
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
5.4CVSS
5.5AI Score
0.001EPSS
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
4.3CVSS
5.6AI Score
0.003EPSS
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, o...
6.5CVSS
7.5AI Score
0.105EPSS
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP...
8.1CVSS
8AI Score
0.007EPSS
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
4.3CVSS
5.1AI Score
0.003EPSS
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
6.5CVSS
6.5AI Score
0.001EPSS
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
7.2CVSS
7.4AI Score
0.357EPSS
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
6.1CVSS
6AI Score
0.001EPSS
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
6.1CVSS
6AI Score
0.002EPSS
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
6.1CVSS
5.8AI Score
0.006EPSS
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
8.8CVSS
8.8AI Score
0.017EPSS
data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.
8.8CVSS
8.8AI Score
0.005EPSS
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to t...
6.1CVSS
6.7AI Score
0.018EPSS
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Sett...
8.8CVSS
8.6AI Score
0.027EPSS
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
8.8CVSS
8.8AI Score
0.921EPSS
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
5.4CVSS
5.5AI Score
0.001EPSS
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
6.1CVSS
6.4AI Score
0.003EPSS
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.
5.4CVSS
5.2AI Score
0.001EPSS
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
9.8CVSS
9.4AI Score
0.003EPSS
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.
6.1CVSS
5.9AI Score
0.001EPSS
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data sour...
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
5.3CVSS
5.8AI Score
0.001EPSS
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.
6.1CVSS
6AI Score
0.003EPSS
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible an...
4.3CVSS
6.7AI Score
0.06EPSS
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a privilege escalation vulnerability. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document directory. The user ...
7.8CVSS
8.9AI Score
0.0004EPSS
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
7.5CVSS
5.6AI Score
0.003EPSS
Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validatio...
8.8CVSS
9.9AI Score
0.004EPSS
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the reports_user.php file. In ajax_get_...
8.8CVSS
9.5AI Score
0.001EPSS
Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the graphs.php file. When dealing with ...
8.8CVSS
9.5AI Score
0.003EPSS
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in graphs_new.php. Several validations are performed, but the retu...
6.1CVSS
6.6AI Score
0.001EPSS
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there c...
9.8CVSS
9.9AI Score
0.041EPSS
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying ...
7.2CVSS
8.6AI Score
0.028EPSS
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The auth_changepassword.php file accepts ref as a URL parameter and r...
5.4CVSS
7.2AI Score
0.001EPSS
Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised ...
6.3CVSS
6.2AI Score
0.003EPSS