Vulnerabilities > Cacti

DATE CVE VULNERABILITY TITLE RISK
2019-12-12 CVE-2019-17358 Deserialization of Untrusted Data vulnerability in multiple products
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays.
network
low complexity
cacti debian opensuse CWE-502
8.1
2019-09-23 CVE-2019-16723 Authorization Bypass Through User-Controlled Key vulnerability in Cacti
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
network
low complexity
cacti CWE-639
4.3
2019-04-08 CVE-2019-11025 Cross-site Scripting vulnerability in multiple products
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
network
low complexity
cacti debian CWE-79
5.4
2019-01-16 CVE-2018-20726 Cross-site Scripting vulnerability in Cacti
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
network
low complexity
cacti CWE-79
5.4
2019-01-16 CVE-2018-20725 Cross-site Scripting vulnerability in Cacti
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
network
low complexity
cacti CWE-79
4.8
2019-01-16 CVE-2018-20724 Cross-site Scripting vulnerability in Cacti
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
network
low complexity
cacti CWE-79
4.8
2019-01-16 CVE-2018-20723 Cross-site Scripting vulnerability in Cacti
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
network
low complexity
cacti CWE-79
4.8
2018-04-12 CVE-2018-10061 Cross-site Scripting vulnerability in multiple products
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
network
low complexity
cacti debian CWE-79
5.4
2018-04-12 CVE-2018-10060 Cross-site Scripting vulnerability in multiple products
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
network
low complexity
cacti debian CWE-79
5.4
2018-04-12 CVE-2018-10059 Cross-site Scripting vulnerability in Cacti
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
network
low complexity
cacti CWE-79
5.4