Vulnerabilities > Cacti > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-11-08 CVE-2017-16661 Information Exposure vulnerability in Cacti 1.1.27
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
network
low complexity
cacti CWE-200
4.9
4.9
2017-10-11 CVE-2017-15194 Cross-site Scripting vulnerability in Cacti 1.1.25
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
network
low complexity
cacti CWE-79
6.1
6.1
2017-08-21 CVE-2017-12978 Cross-site Scripting vulnerability in Cacti
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
network
low complexity
cacti CWE-79
5.4
5.4
2017-08-18 CVE-2017-12927 Cross-site Scripting vulnerability in Cacti 1.1.17
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
network
low complexity
cacti CWE-79
6.1
6.1
2017-08-01 CVE-2017-12066 Cross-site Scripting vulnerability in Cacti
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
network
low complexity
cacti CWE-79
5.4
5.4
2017-07-27 CVE-2017-11691 Cross-site Scripting vulnerability in Cacti 1.1.13
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
network
low complexity
cacti CWE-79
5.4
5.4
2017-07-17 CVE-2017-1000032 Cross-site Scripting vulnerability in Cacti 0.8.8B
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
network
low complexity
cacti CWE-79
6.1
6.1
2017-07-10 CVE-2017-11163 Cross-site Scripting vulnerability in Cacti 1.1.12
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
network
low complexity
cacti CWE-79
5.4
5.4
2017-07-06 CVE-2017-10970 Cross-site Scripting vulnerability in Cacti 1.1.12
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.
network
low complexity
cacti CWE-79
5.4
5.4