Vulnerabilities > Cacti > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-11-15 CVE-2014-4000 Code Injection vulnerability in Cacti
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
network
low complexity
cacti CWE-94
6.5
6.5
2017-11-10 CVE-2017-16785 Cross-site Scripting vulnerability in Cacti 1.1.27
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
network
cacti CWE-79
4.3
4.3
2017-11-08 CVE-2017-16661 Information Exposure vulnerability in Cacti 1.1.27
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
network
low complexity
cacti CWE-200
4.0
4.0
2017-10-11 CVE-2017-15194 Cross-site Scripting vulnerability in Cacti 1.1.25
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
network
cacti CWE-79
4.3
4.3
2017-08-18 CVE-2017-12927 Cross-site Scripting vulnerability in Cacti 1.1.17
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
network
cacti CWE-79
4.3
4.3
2017-07-17 CVE-2017-1000032 Cross-site Scripting vulnerability in Cacti 0.8.8B
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
network
cacti CWE-79
4.3
4.3
2017-07-17 CVE-2017-1000031 SQL Injection vulnerability in Cacti 0.8.8B
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
network
low complexity
cacti CWE-89
6.5
6.5
2017-07-06 CVE-2017-10970 Cross-site Scripting vulnerability in Cacti 1.1.12
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.
network
cacti CWE-79
4.3
4.3
2016-04-12 CVE-2016-3172 SQL Injection vulnerability in Cacti
SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.
network
low complexity
cacti CWE-89
6.5
6.5
2016-04-11 CVE-2015-8604 SQL Injection vulnerability in Cacti
SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action.
network
low complexity
cacti CWE-89
6.5
6.5