Latest cacti cacti Vulnerabilities

CVE-2023-51448
SQL Injection vulnerability when managing SNMP Notification Receivers
Cacti Cacti=1.2.25
CVE-2023-50250
Cross-Site Scripting vulnerability when Import xml template file
Cacti Cacti=1.2.25
CVE-2023-49088
Cacti has incomplete fix for CVE-2023-39515
Cacti Cacti<1.2.25
CVE-2023-50569
Reflected Cross Site Scripting (XSS) vulnerability in Cacti v1.2.25, allows remote attackers to escalate privileges when uploading an xml template file via templates_import.php.
Cacti Cacti=1.2.25
CVE-2023-49086
Cacti is vulnerable to cross-Site scripting (XSS) DOM
Cacti Cacti=1.2.25
CVE-2023-46490
SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.
Cacti Cacti=1.2.25
ZDI-23-1500
Cacti graph_view SQL Injection Authentication Bypass Vulnerability
Cacti Cacti
ZDI-23-1499
Cacti link Local File Inclusion Remote Code Execution Vulnerability
Cacti Cacti
CVE-2023-39511
Stored Cross-Site-Scripting on reports_admin.php device name in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-30534
Insecure Deserialization in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-31132
Cacti Privilege Escalation
Cacti Cacti<1.2.25
Microsoft Windows
CVE-2023-39362
Authenticated command injection in SNMP options of a Device
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39364
Open redirect in change password functionality in Cacti
Cacti Cacti=1.2.24
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39516
Stored Cross-Site-Scripting on data_sources.php debug html-block in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39365
Cacti graph_view SQL Injection Authentication Bypass Vulnerability
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
Cacti Cacti
CVE-2023-39357
A Defect in sql_save() Causes Multiple SQL Injection Vulnerabilities in Cacti
Cacti Cacti=1.2.24
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39358
Authenticated SQL injection vulnerability in reports_user.php in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-39359
Authenticated SQL injection vulnerability in graphs.php in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39360
Reflected Cross-site Scripting in graphs_new.php in Cacti
Cacti Cacti=1.2.24
Fedoraproject Fedora=37
Fedoraproject Fedora=38
CVE-2023-39366
Stored Cross-site Scripting in data_sources.php through Device-Name in 'select' input in Cacti
Cacti Cacti>=1.2.0<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.24+ds1-1
Ivanti Endpoint Management=2022 Service Update 5
CVE-2023-39510
Stored Cross-site Scripting in reports_admin.php through Device-Name in 'select' input in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.24+ds1-1
CVE-2023-39512
Stored Cross-site Scripting on data_sources.php device name view in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.24+ds1-1
CVE-2023-39513
Stored Cross-site Scripting on host.php verbose data-query debug view in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39515
Stored Cross-site Scripting on data_debug.php datasource path view in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1
CVE-2023-39514
Stored Cross-site Scripting on graphs.php data template formated name view in Cacti
Cacti Cacti<1.2.25
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/cacti<=1.2.24+ds1-1
CVE-2023-39361
Unauthenticated SQL Injection in graph_view.php in Cacti
Cacti Cacti=1.2.24
Fedoraproject Fedora=37
Fedoraproject Fedora=38
ubuntu/cacti<1.2.25+
ubuntu/cacti<1.2.25+
ubuntu/cacti<1.2.19+
and 1 more
CVE-2022-48547
A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepas...
Cacti Cacti<=0.8.7g
CVE-2022-48538
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
Cacti Cacti=1.2.19
CVE-2022-41444
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.
Cacti Cacti=1.2.21
CVE-2023-37543
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16...
Cacti Cacti<1.2.6
CVE-2022-46169
Cacti Command Injection Vulnerability
Cacti Cacti<=1.2.22
debian/cacti<=1.2.2+ds1-2+deb10u4
CVE-2022-0730
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
Cacti Cacti=1.2.19
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=34
Fedoraproject Fedora=35
and 2 more
CVE-2021-23225
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admi...
Cacti Cacti=1.1.38
Debian Debian Linux=9.0
CVE-2021-3816
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php...
Cacti Cacti=1.1.38
CVE-2021-26247
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter...
Cacti Cacti=0.8.7g
CVE-2020-14424
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
Cacti Cacti<1.2.18
CVE-2020-23226
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admi...
Cacti Cacti=1.2.12
Debian Debian Linux=9.0
Debian Debian Linux=10.0
CVE-2020-35701
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter...
Cacti Cacti>=1.2.0<=1.2.16
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Fedoraproject Fedora=34
CVE-2020-25706
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
Cacti Cacti=1.2.13
Debian Debian Linux=10.0
CVE-2020-14295
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
Cacti Cacti=1.2.12
Fedoraproject Fedora=31
Fedoraproject Fedora=32
CVE-2020-13230
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
Cacti Cacti<1.2.11
Debian Debian Linux=9.0
Fedoraproject Fedora=31
Fedoraproject Fedora=32
CVE-2020-13231
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
Cacti Cacti<1.2.11
Fedoraproject Fedora=31
Fedoraproject Fedora=32
CVE-2020-8813
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
Cacti Cacti=1.2.8
Fedoraproject Fedora=30
Fedoraproject Fedora=31
Fedoraproject Fedora=32
Opmantek Open-AudIT=3.3.1
Opensuse Suse Package Hub
and 2 more
CVE-2020-7237
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cy...
Cacti Cacti=1.2.8
CVE-2020-7106
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the descript...
Cacti Cacti<1.2.9
Debian Debian Linux=8.0
Debian Debian Linux=9.0
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
Suse Package Hub
and 6 more
CVE-2020-7058
** DISPUTED ** data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is...
Cacti Cacti=1.2.8
=1.2.8
CVE-2019-17357
Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the te...
Cacti Cacti<=1.2.7
debian/cacti
CVE-2019-17358
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence obje...
Cacti Cacti<=1.2.7
Debian Debian Linux=8.0
openSUSE Leap=42.3
ubuntu/cacti<0.8.8<1.2.8+
ubuntu/cacti<0.8.8
debian/cacti
CVE-2019-16723
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.
debian/cacti<=1.2.2+ds1-2<=1.2.2+ds1-2+deb10u1<=1.2.6+ds1-2
Cacti Cacti<=1.2.6
debian/cacti
CVE-2019-11025
Cacti Cacti<1.2.3
Debian Debian Linux=8.0
Debian Debian Linux=9.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203