Vulnerabilities > Cacti
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-24 | CVE-2016-10700 | Permissions, Privileges, and Access Controls vulnerability in Cacti auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. | 8.8 |
| 2017-11-15 | CVE-2014-4000 | Code Injection vulnerability in Cacti Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). | 8.8 |
| 2017-11-10 | CVE-2017-16785 | Cross-site Scripting vulnerability in Cacti 1.1.27 Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. | 6.1 |
| 2017-11-08 | CVE-2017-16661 | Information Exposure vulnerability in Cacti 1.1.27 Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. | 4.9 |
| 2017-11-08 | CVE-2017-16660 | Exposure of Resource to Wrong Sphere vulnerability in Cacti 1.1.27 Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | 7.2 |
| 2017-11-07 | CVE-2017-16641 | OS Command Injection vulnerability in Cacti 1.1.27 lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. | 7.2 |
| 2017-10-11 | CVE-2017-15194 | Cross-site Scripting vulnerability in Cacti 1.1.25 include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. | 6.1 |
| 2017-08-21 | CVE-2017-12978 | Cross-site Scripting vulnerability in Cacti lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. | 5.4 |
| 2017-08-18 | CVE-2017-12927 | Cross-site Scripting vulnerability in Cacti 1.1.17 A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. | 6.1 |
| 2017-08-01 | CVE-2017-12066 | Cross-site Scripting vulnerability in Cacti Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | 5.4 |