Page 11 of 125 results (0.010 seconds)

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que realiza ciertas llamadas htmlspecialchars sin la marca ENT_QUOTES (estas llamadas ocurren cuando no se emplea la función html_escape en lib/html.php). • http://www.securitytracker.com/id/1040620 https://github.com/Cacti/cacti/issues/1457 https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html https://www.cacti.net/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que la función get_current_page en lib/functions.php depende de $_SERVER['PHP_SELF'] en lugar de $_SERVER['SCRIPT_NAME'] para determinar un nombre de página. • http://www.securitytracker.com/id/1040620 https://github.com/Cacti/cacti/issues/1457 https://www.cacti.net/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313. auth_login.php en versiones anteriores a la 1.0.0 de Cacti permite que usuarios autenticados remotos que emplean la autenticación web omitan las restricciones de acceso planeadas iniciando sesión como usuario que no está en la base de datos de Cacti, ya que el usuario invitado no está considerado. NOTA: Esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-2313. • http://bugs.cacti.net/view.php?id=2697 http://www.cacti.net/release_notes_1_0_0.php https://github.com/Cacti/cacti/commit/69983495cd41bf0903fe02baeef84b1fa85f2846 https://web.archive.org/web/20160817090458/http://bugs.cacti.net/view.php?id=2697 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). Cacti en versiones anteriores a la 1.0.0 permite que usuarios remotos autenticados lleven a cabo ataques de inyección de objetos PHP y ejecuten código PHP arbitrario mediante un objeto serializado manipulado, relacionado con la llamada a unserialize(stripslashes()). • https://forums.cacti.net/viewtopic.php?f=4&t=56794 https://security-tracker.debian.org/tracker/CVE-2014-4000 https://security.gentoo.org/glsa/201711-10 https://www.cacti.net/release_notes_1_0_0.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. Cacti 1.1.27 tiene XSS reflejado mediante PATH_INFO en host.php. • http://www.securitytracker.com/id/1039774 https://github.com/Cacti/cacti/issues/1071 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •