Cacti Security Vulnerabilities and Issues — Cacti CVE List

Lucene search

CactiCacti

19 matches found

CVE•added 2019/01/16 4:29 p.m.•129 views

CVE-2018-20726

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.

5.4CVSS6.1AI score0.00541EPSS

CVE•added 2023/12/22 12:15 a.m.•83 views

CVE-2023-49086

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an...

5.4CVSS7.2AI score0.00951EPSS

CVE•added 2019/04/08 11:29 p.m.•79 views

CVE-2019-11025

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

5.4CVSS5.5AI score0.00446EPSS

CVE•added 2024/05/14 3:25 p.m.•65 views

CVE-2024-31444

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function fro...

5.4CVSS5.9AI score0.05424EPSS

CVE•added 2023/09/05 10:15 p.m.•57 views

CVE-2023-39364

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The auth_changepassword.php file accepts ref as a URL parameter and r...

5.4CVSS6.6AI score0.00166EPSS

CVE•added 2024/05/14 3:17 p.m.•57 views

CVE-2024-29894

Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. raise_message_javascript from lib/functions.php now uses purify.js to fix CVE-2023-50250 (...

5.4CVSS6.1AI score0.02167EPSS

CVE•added 2017/07/06 11:29 a.m.•54 views

CVE-2017-10970

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.

5.4CVSS5.3AI score0.00223EPSS

CVE•added 2022/01/19 9:15 p.m.•54 views

CVE-2021-23225

Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.

5.4CVSS5.5AI score0.00651EPSS

CVE•added 2023/08/22 7:16 p.m.•54 views

CVE-2022-48538

In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.

5.3CVSS5.8AI score0.00099EPSS

CVE•added 2024/05/14 3:25 p.m.•53 views

CVE-2024-31443

Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in form_save() function in data_queries.php is not thoroughly checked and is used to concatenate the HTML statement in grow_right_pane_tree() function from lib/html.php , finally result...

5.7CVSS5.8AI score0.00347EPSS

CVE•added 2022/01/19 9:15 p.m.•52 views

CVE-2021-3816

Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.

5.4CVSS5.2AI score0.00436EPSS

CVE•added 2017/07/27 6:29 a.m.•51 views

CVE-2017-11691

Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.

5.4CVSS5.4AI score0.00484EPSS

CVE•added 2017/08/01 5:29 a.m.•51 views

CVE-2017-12066

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete ...

5.4CVSS6.4AI score0.0024EPSS

CVE•added 2017/08/21 7:29 a.m.•48 views

CVE-2017-12978

lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.

5.4CVSS5.3AI score0.00302EPSS

CVE•added 2018/04/12 4:29 p.m.•48 views

CVE-2018-10060

Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.

5.4CVSS5.4AI score0.00667EPSS

CVE•added 2018/04/12 4:29 p.m.•45 views

CVE-2018-10061

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

5.4CVSS5.4AI score0.00955EPSS

CVE•added 2017/07/10 6:29 p.m.•44 views

CVE-2017-11163

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.

5.4CVSS5.1AI score0.00223EPSS

CVE•added 2018/04/12 4:29 p.m.•40 views

CVE-2018-10059

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.

5.4CVSS5.1AI score0.00287EPSS

CVE•added 2008/02/14 11:0 p.m.•37 views

CVE-2008-0784

graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors.

5CVSS6.2AI score0.01439EPSS