Vulnerabilities > Cacti
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-11 | CVE-2020-35701 | SQL Injection vulnerability in multiple products An issue was discovered in Cacti 1.2.x through 1.2.16. | 8.8 |
| 2020-11-12 | CVE-2020-25706 | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | 6.1 |
| 2020-06-17 | CVE-2020-14295 | SQL Injection vulnerability in multiple products A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. | 7.2 |
| 2020-05-20 | CVE-2020-13231 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | 6.5 |
| 2020-05-20 | CVE-2020-13230 | Improper Preservation of Permissions vulnerability in multiple products In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | 4.3 |
| 2020-02-22 | CVE-2020-8813 | OS Command Injection vulnerability in multiple products graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. | 8.8 |
| 2020-01-21 | CVE-2019-17357 | SQL Injection vulnerability in Cacti Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. | 6.5 |
| 2020-01-20 | CVE-2020-7237 | OS Command Injection vulnerability in Cacti 1.2.8 Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. | 8.8 |
| 2020-01-16 | CVE-2020-7106 | Cross-site Scripting vulnerability in multiple products Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). | 6.1 |
| 2020-01-15 | CVE-2020-7058 | Improper Input Validation vulnerability in Cacti 1.2.8 data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. | 8.8 |