Vulnerabilities > Cacti

DATE CVE VULNERABILITY TITLE RISK
2021-01-11 CVE-2020-35701 SQL Injection vulnerability in multiple products
An issue was discovered in Cacti 1.2.x through 1.2.16.
network
low complexity
cacti fedoraproject CWE-89
6.5
2020-11-12 CVE-2020-25706 Cross-Site Scripting vulnerability in Cacti 1.2.13
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
network
cacti CWE-79
4.3
2020-06-17 CVE-2020-14295 SQL Injection vulnerability in multiple products
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter.
network
low complexity
cacti fedoraproject CWE-89
6.5
2020-05-20 CVE-2020-13231 Cross-Site Request Forgery (CSRF) vulnerability in Cacti
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
network
cacti CWE-352
4.3
2020-05-20 CVE-2020-13230 Improper Preservation of Permissions vulnerability in Cacti
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
network
low complexity
cacti CWE-281
4.0
2020-02-22 CVE-2020-8813 OS Command Injection vulnerability in Cacti 1.2.8
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
network
cacti CWE-78
critical
9.3
2020-01-21 CVE-2019-17357 SQL Injection vulnerability in Cacti
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id.
network
low complexity
cacti CWE-89
4.0
2020-01-20 CVE-2020-7237 OS Command Injection vulnerability in Cacti 1.2.8
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php.
network
low complexity
cacti CWE-78
critical
9.0
2020-01-16 CVE-2020-7106 Cross-Site Scripting vulnerability in Cacti 1.2.8
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
network
cacti CWE-79
4.3
2020-01-15 CVE-2020-7058 Improper Input Validation vulnerability in Cacti 1.2.8
** DISPUTED ** data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host.
network
low complexity
cacti CWE-20
6.5