Vulnerabilities > Cacti > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-01-19 CVE-2021-23225 Cross-site Scripting vulnerability in multiple products
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
network
low complexity
cacti debian CWE-79
5.4
5.4
2022-01-19 CVE-2021-26247 Cross-site Scripting vulnerability in Cacti 0.8.7G
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
network
low complexity
cacti CWE-79
6.1
6.1
2022-01-19 CVE-2021-3816 Cross-site Scripting vulnerability in Cacti 1.1.38
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.
network
low complexity
cacti CWE-79
5.4
5.4
2021-11-14 CVE-2020-14424 Cross-site Scripting vulnerability in Cacti
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
network
low complexity
cacti CWE-79
6.1
6.1
2021-08-27 CVE-2020-23226 Cross-site Scripting vulnerability in multiple products
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
network
low complexity
cacti debian CWE-79
6.1
6.1
2020-11-12 CVE-2020-25706 Cross-site Scripting vulnerability in multiple products
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
network
low complexity
cacti debian CWE-79
6.1
6.1
2020-05-20 CVE-2020-13231 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
network
low complexity
cacti fedoraproject CWE-352
6.5
6.5
2020-05-20 CVE-2020-13230 Improper Preservation of Permissions vulnerability in multiple products
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
network
low complexity
cacti debian fedoraproject CWE-281
4.3
4.3
2020-01-21 CVE-2019-17357 SQL Injection vulnerability in Cacti
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id.
network
low complexity
cacti CWE-89
6.5
6.5
2020-01-16 CVE-2020-7106 Cross-site Scripting vulnerability in multiple products
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
network
low complexity
cacti debian opensuse suse fedoraproject CWE-79
6.1
6.1