Cacti Security Vulnerabilities and Issues — Cacti CVE List

Lucene search

CactiCacti

9 matches found

CVE•added 2020/02/22 2:15 a.m.•332 views

CVE-2020-8813

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

9.3CVSS8.8AI score0.94137EPSS

CVE•added 2020/01/16 4:15 a.m.•243 views

CVE-2020-7106

Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to t...

6.1CVSS6.7AI score0.04094EPSS

CVE•added 2020/01/20 5:15 a.m.•226 views

CVE-2020-7237

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Sett...

9CVSS8.6AI score0.46813EPSS

CVE•added 2020/06/17 2:15 p.m.•209 views

CVE-2020-14295

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

7.2CVSS7.4AI score0.76286EPSS

CVE•added 2020/01/21 7:15 p.m.•164 views

CVE-2019-17357

Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, o...

6.5CVSS7.5AI score0.06768EPSS

CVE•added 2020/01/15 7:15 a.m.•97 views

CVE-2020-7058

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.

8.8CVSS8.8AI score0.00916EPSS

CVE•added 2020/11/12 2:15 p.m.•83 views

CVE-2020-25706

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field

6.1CVSS5.8AI score0.01974EPSS

CVE•added 2020/05/20 2:15 p.m.•64 views

CVE-2020-13230

In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).

4.3CVSS5.1AI score0.00799EPSS

CVE•added 2020/05/20 2:15 p.m.•57 views

CVE-2020-13231

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.

6.5CVSS6.5AI score0.00456EPSS