Vulnerabilities > Cacti > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-12 | CVE-2018-10061 | Cross-site Scripting vulnerability in multiple products Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). | 5.4 |
| 2018-04-12 | CVE-2018-10060 | Cross-site Scripting vulnerability in multiple products Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. | 5.4 |
| 2018-04-12 | CVE-2018-10059 | Cross-site Scripting vulnerability in Cacti Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. | 5.4 |
| 2017-11-10 | CVE-2017-16785 | Cross-site Scripting vulnerability in Cacti 1.1.27 Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. | 6.1 |
| 2017-11-08 | CVE-2017-16661 | Information Exposure vulnerability in Cacti 1.1.27 Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. | 4.9 |
| 2017-10-11 | CVE-2017-15194 | Cross-site Scripting vulnerability in Cacti 1.1.25 include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. | 6.1 |
| 2017-08-21 | CVE-2017-12978 | Cross-site Scripting vulnerability in Cacti lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. | 5.4 |
| 2017-08-18 | CVE-2017-12927 | Cross-site Scripting vulnerability in Cacti 1.1.17 A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. | 6.1 |
| 2017-08-01 | CVE-2017-12066 | Cross-site Scripting vulnerability in Cacti Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | 5.4 |
| 2017-07-27 | CVE-2017-11691 | Cross-site Scripting vulnerability in Cacti 1.1.13 Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. | 5.4 |