Lucene search

K
CactiCacti

137 matches found

CVE
CVE
added 2025/01/27 6:15 p.m.939 views

CVE-2025-24367

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed i...

8.8CVSS7.9AI score0.04679EPSS
CVE
CVE
added 2022/12/05 9:15 p.m.675 views

CVE-2022-46169

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data sour...

9.8CVSS10AI score0.94469EPSS
CVE
CVE
added 2020/02/22 2:15 a.m.332 views

CVE-2020-8813

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

9.3CVSS8.8AI score0.94137EPSS
CVE
CVE
added 2020/01/16 4:15 a.m.243 views

CVE-2020-7106

Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to t...

6.1CVSS6.7AI score0.04094EPSS
CVE
CVE
added 2020/01/20 5:15 a.m.226 views

CVE-2020-7237

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Sett...

9CVSS8.6AI score0.46813EPSS
CVE
CVE
added 2020/06/17 2:15 p.m.209 views

CVE-2020-14295

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

7.2CVSS7.4AI score0.76286EPSS
CVE
CVE
added 2021/01/11 4:15 p.m.172 views

CVE-2020-35701

An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

8.8CVSS8.8AI score0.05865EPSS
CVE
CVE
added 2024/05/14 3:5 p.m.170 views

CVE-2024-25641

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web ser...

9.1CVSS9.3AI score0.85176EPSS
CVE
CVE
added 2019/12/12 2:15 p.m.169 views

CVE-2019-17358

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP...

8.1CVSS8AI score0.02418EPSS
CVE
CVE
added 2020/01/21 7:15 p.m.164 views

CVE-2019-17357

Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, o...

6.5CVSS7.5AI score0.06768EPSS
CVE
CVE
added 2019/09/23 3:15 p.m.162 views

CVE-2019-16723

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

4.3CVSS5.6AI score0.00205EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.160 views

CVE-2023-39516

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the cacti 's database. These data will be viewed by administrative cacti acco...

6.1CVSS6.6AI score0.00259EPSS
CVE
CVE
added 2009/11/30 9:30 p.m.153 views

CVE-2009-4112

Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands.

9CVSS8.7AI score0.0843EPSS
CVE
CVE
added 2022/03/03 11:15 p.m.153 views

CVE-2022-0730

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

9.8CVSS9.4AI score0.00435EPSS
CVE
CVE
added 2023/09/05 9:15 p.m.146 views

CVE-2023-39515

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts an...

6.1CVSS6.1AI score0.00235EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.145 views

CVE-2023-39365

Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised ...

6.3CVSS7.1AI score0.0017EPSS
CVE
CVE
added 2023/09/05 9:15 p.m.139 views

CVE-2023-39360

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in graphs_new.php. Several validations are performed, but the retu...

6.1CVSS6.4AI score0.00482EPSS
CVE
CVE
added 2019/01/16 4:29 p.m.137 views

CVE-2018-20723

A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.

4.8CVSS5.8AI score0.00526EPSS
CVE
CVE
added 2019/01/16 4:29 p.m.136 views

CVE-2018-20724

A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.

4.8CVSS5.8AI score0.00618EPSS
CVE
CVE
added 2019/01/16 4:29 p.m.134 views

CVE-2018-20725

A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.

4.8CVSS5.8AI score0.00526EPSS
CVE
CVE
added 2019/01/16 4:29 p.m.129 views

CVE-2018-20726

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.

5.4CVSS6.1AI score0.00541EPSS
CVE
CVE
added 2023/09/05 9:15 p.m.126 views

CVE-2023-39359

Cacti is an open source operational monitoring and fault management framework. An authenticated SQL injection vulnerability was discovered which allows authenticated users to perform privilege escalation and remote code execution. The vulnerability resides in the graphs.php file. When dealing with ...

8.8CVSS9.6AI score0.04724EPSS
CVE
CVE
added 2023/09/05 9:15 p.m.121 views

CVE-2023-39366

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti 's database. These data will be viewed by administrative cacti accounts a...

6.1CVSS5.7AI score0.00331EPSS
CVE
CVE
added 2025/01/27 5:15 p.m.112 views

CVE-2025-22604

Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an arra...

9.1CVSS7AI score0.40571EPSS
CVE
CVE
added 2023/09/06 6:15 p.m.111 views

CVE-2023-39511

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the cacti 's database. These data will be viewed by administrative cacti acco...

6.1CVSS6.5AI score0.00512EPSS
CVE
CVE
added 2015/06/17 6:59 p.m.109 views

CVE-2015-4454

SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.

7.5CVSS9AI score0.00644EPSS
CVE
CVE
added 2015/08/11 2:59 p.m.103 views

CVE-2015-4634

SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.

7.5CVSS9AI score0.00409EPSS
CVE
CVE
added 2020/01/15 7:15 a.m.97 views

CVE-2020-7058

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.

8.8CVSS8.8AI score0.00916EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.96 views

CVE-2023-31132

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a privilege escalation vulnerability. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document directory. The user ...

7.8CVSS9AI score0.00119EPSS
CVE
CVE
added 2024/05/14 3:25 p.m.96 views

CVE-2024-31459

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the lib/plugin.php file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the api_plugin_ho...

8CVSS8.2AI score0.0201EPSS
CVE
CVE
added 2016/04/12 4:59 p.m.95 views

CVE-2016-3172

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.

8.8CVSS8.7AI score0.00522EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.94 views

CVE-2023-30534

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible an...

4.3CVSS6.8AI score0.38717EPSS
CVE
CVE
added 2024/05/14 3:25 p.m.88 views

CVE-2024-31445

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in automation_get_new_graphs_sql function of api_automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation a...

8.8CVSS8.2AI score0.35841EPSS
CVE
CVE
added 2024/05/14 3:25 p.m.88 views

CVE-2024-31460

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in create_all_header_nodes() function from lib/api_automation.php , finally r...

8.8CVSS8.3AI score0.01075EPSS
CVE
CVE
added 2020/11/12 2:15 p.m.83 views

CVE-2020-25706

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field

6.1CVSS5.8AI score0.01974EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.83 views

CVE-2023-39362

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying ...

7.2CVSS7.6AI score0.86745EPSS
CVE
CVE
added 2023/12/22 12:15 a.m.83 views

CVE-2023-49086

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an...

5.4CVSS7.2AI score0.00951EPSS
CVE
CVE
added 2013/08/23 4:55 p.m.82 views

CVE-2013-1434

Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5CVSS9.2AI score0.01147EPSS
CVE
CVE
added 2023/09/05 10:15 p.m.81 views

CVE-2023-39357

Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validatio...

8.8CVSS10AI score0.01695EPSS
CVE
CVE
added 2016/04/11 9:59 p.m.80 views

CVE-2015-8604

SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action.

8.8CVSS8.7AI score0.0063EPSS
CVE
CVE
added 2019/04/08 11:29 p.m.79 views

CVE-2019-11025

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

5.4CVSS5.5AI score0.00446EPSS
CVE
CVE
added 2021/08/27 6:15 p.m.76 views

CVE-2020-23226

Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.

6.1CVSS6AI score0.0129EPSS
CVE
CVE
added 2025/01/27 6:15 p.m.76 views

CVE-2025-24368

Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerab...

7.5CVSS7.5AI score0.00104EPSS
CVE
CVE
added 2014/04/10 8:29 p.m.75 views

CVE-2014-2708

Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id ...

7.5CVSS9.2AI score0.01497EPSS
CVE
CVE
added 2015/12/17 7:59 p.m.75 views

CVE-2015-8369

SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.

7.5CVSS8.9AI score0.00495EPSS
CVE
CVE
added 2023/09/05 9:15 p.m.74 views

CVE-2023-39361

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there c...

9.8CVSS10AI score0.93059EPSS
CVE
CVE
added 2009/11/29 1:7 p.m.72 views

CVE-2009-4032

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or...

4.3CVSS5.4AI score0.06761EPSS
CVE
CVE
added 2023/12/22 5:15 p.m.72 views

CVE-2023-49088

Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in d...

6.1CVSS6.6AI score0.00982EPSS
CVE
CVE
added 2024/05/14 3:38 p.m.72 views

CVE-2024-34340

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls compat_password_hash when users set their password. compat_password_hash use password_hash if there is it, else use md5. When verifying password, it calls compat_password_verify. In compat_...

9.1CVSS9.1AI score0.00635EPSS
CVE
CVE
added 2014/04/23 3:55 p.m.71 views

CVE-2014-2328

lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.

6.5CVSS8.6AI score0.01128EPSS
Total number of security vulnerabilities137