CVE-2020-13230

In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).

CVE-2020-13231

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.