Vulnerabilities > Cacti > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-20 | CVE-2020-7237 | OS Command Injection vulnerability in Cacti 1.2.8 Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. | 8.8 |
2020-01-15 | CVE-2020-7058 | Improper Input Validation vulnerability in Cacti 1.2.8 data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. | 8.8 |
2019-12-12 | CVE-2019-17358 | Deserialization of Untrusted Data vulnerability in multiple products Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. | 8.1 |
2017-11-24 | CVE-2016-10700 | Permissions, Privileges, and Access Controls vulnerability in Cacti auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. | 8.8 |
2017-11-15 | CVE-2014-4000 | Code Injection vulnerability in Cacti Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). | 8.8 |
2017-11-08 | CVE-2017-16660 | Exposure of Resource to Wrong Sphere vulnerability in Cacti 1.1.27 Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | 7.2 |
2017-11-07 | CVE-2017-16641 | OS Command Injection vulnerability in Cacti 1.1.27 lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. | 7.2 |
2017-07-17 | CVE-2017-1000031 | SQL Injection vulnerability in Cacti 0.8.8B SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. | 8.8 |
2016-04-13 | CVE-2016-2313 | Permissions, Privileges, and Access Controls vulnerability in multiple products auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. | 8.8 |
2016-04-12 | CVE-2016-3172 | SQL Injection vulnerability in Cacti SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. | 8.8 |