Vulnerabilities > Cacti

DATE CVE VULNERABILITY TITLE RISK
2023-08-22 CVE-2022-48538 Incorrect Authorization vulnerability in Cacti 1.2.19
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
network
low complexity
cacti CWE-863
5.3
2023-08-22 CVE-2022-48547 Cross-site Scripting vulnerability in Cacti
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php.
network
low complexity
cacti CWE-79
6.1
2023-08-10 CVE-2023-37543 Authorization Bypass Through User-Controlled Key vulnerability in Cacti
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php.
network
low complexity
cacti CWE-639
7.5
2022-12-05 CVE-2022-46169 Incorrect Authorization vulnerability in Cacti
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users.
network
low complexity
cacti CWE-863
critical
9.8
2022-03-03 CVE-2022-0730 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
network
low complexity
cacti debian fedoraproject
critical
9.8
2022-01-19 CVE-2021-23225 Cross-site Scripting vulnerability in multiple products
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
network
low complexity
cacti debian CWE-79
5.4
2022-01-19 CVE-2021-26247 Cross-site Scripting vulnerability in Cacti 0.8.7G
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
network
low complexity
cacti CWE-79
6.1
2022-01-19 CVE-2021-3816 Cross-site Scripting vulnerability in Cacti 1.1.38
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.
network
low complexity
cacti CWE-79
5.4
2021-11-14 CVE-2020-14424 Cross-site Scripting vulnerability in Cacti
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
network
low complexity
cacti CWE-79
6.1
2021-08-27 CVE-2020-23226 Cross-site Scripting vulnerability in multiple products
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
network
low complexity
cacti debian CWE-79
6.1