CVE-2013-1435
https://notcve.org/view.php?id=CVE-2013-1435
(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. (1) snmp.php y (2) rrd.php en Cacti anterior a v0.8.8b permite a atacantes remotos ejecutar código arbitrario a través de metacaracteres de shell en vectores no especificados. • http://forums.cacti.net/viewtopic.php?f=21&t=50593 http://lists.opensuse.org/opensuse-updates/2013-08/msg00053.html http://secunia.com/advisories/54181 http://secunia.com/advisories/54386 http://svn.cacti.net/viewvc?view=rev&revision=7392 http://svn.cacti.net/viewvc?view=rev&revision=7393 http://www.debian.org/security/2012/dsa-2739 http://www.openwall.com/lists/oss-security/2013/08/07/15 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2011-5223
https://notcve.org/view.php?id=CVE-2011-5223
Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en logout.php en Cacti, permite a atacantes remotos secuestrar la autenticación de los administradores a través de vectores desconocidos. • http://bugs.cacti.net/view.php?id=2062 http://forums.cacti.net/viewtopic.php?f=21&t=44116 http://forums.cacti.net/viewtopic.php?f=4&t=45871 http://secunia.com/advisories/47195 http://www.securityfocus.com/bid/51048 https://exchange.xforce.ibmcloud.com/vulnerabilities/71792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4824
https://notcve.org/view.php?id=CVE-2011-4824
SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter. Vulnerabilidad de inyección SQL en auth_login.php de Cacti en versiones anteriores a 0.8.7h permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro login_username. • http://bugs.cacti.net/view.php?id=2062 http://forums.cacti.net/viewtopic.php?f=21&t=44116 http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069126.html http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069137.html http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069141.html http://secunia.com/advisories/44133 http://secunia.com/advisories/46876 http://svn.cacti.net/viewvc?view=rev&revision=6807 http://www.cacti.net/release& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2010-2544 – Cacti 0.8.7 (RedHat High Performance Computing [HPC]) - 'utilities.php?Filter' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-2544
Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. Una vulnerabilidad de ejecución de comandos en sitios cruzados(XSS) en utilities.php en Cacti antes de v0.8.7g, tal como se utiliza en Red Hat High Performance Computing (HPC) Solution y otros productos, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'filter'. • https://www.exploit-db.com/exploits/34504 http://cacti.net/release_notes_0_8_7g.php http://marc.info/?l=oss-security&m=127978954522586&w=2 http://marc.info/?l=oss-security&m=128017203704299&w=2 http://secunia.com/advisories/41041 http://svn.cacti.net/viewvc/cacti/branches/0.8.7/utilities.php?r1=6025&r2=6024&pathrev=6025 http://svn.cacti.net/viewvc?view=rev&revision=6025 http://www.mandriva.com/security/advisories? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-1645 – cacti: multiple command injection flaws (BONSAI-2010-0105)
https://notcve.org/view.php?id=CVE-2010-1645
Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template. Cacti antes de v0.8.7f, tal como se utiliza en Red Hat High Performance Computing (HPC) Solution y otros productos, permite a los administradores remotos autenticados ejecutar código arbitrario a través de metacaracteres de shell en (1) el campo FQDN (Nombre de dominio completo) de un 'Device' o (2) en el campo 'Vertical Label' de una plantilla de gráfico. • http://secunia.com/advisories/41041 http://svn.cacti.net/viewvc?view=rev&revision=5778 http://svn.cacti.net/viewvc?view=rev&revision=5782 http://svn.cacti.net/viewvc?view=rev&revision=5784 http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php http://www.cacti.net/release_notes_0_8_7f.php http://www.mandriva.com/security/advisories?name=MDVSA-2010:160 http://www.vupen.com/english/advisories/2010/2132 https://bugzilla.redhat.com/show_bug • CWE-20: Improper Input Validation •