CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 2CVE-2009-4032 – Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-4032
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php. Múltiples vulnerabilidades de XSS en Cacti 0.8.7e permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de vectores relacionados con (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php y (4) lib/timespan_settings.php, como es demostrado por los parámetros (a) graph_end o (b) graph_start a graph.php; (c) el parámetro date1 en una acción tree a graph_view.php; y los parámetros (d) page_refresh y (e) default_dual_pane_width a graph_settings.php. Cacti versions 0.8.7e and below suffer from cross site scripting and privilege escalation vulnerabilities. • https://www.exploit-db.com/exploits/33374 https://www.exploit-db.com/exploits/10234 http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html http://bugs.gentoo.org/show_bug.cgi?id=294573 http://docs.cacti.net/#cross-site_scripting_fixes http://jvn.jp/en/jp/JVN09758120/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-003901.html http://secunia.com/advisories/37481 http://secunia.com/advisories/37934 http://secunia.com/advisories/38087 http: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 16EXPL: 3CVE-2008-0783 – Cacti 0.8.7 - 'graph_view.php?filter' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-0783
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Cacti versión 0.8.7 anterior a 0.8.7b y versión 0.8.6 anterior a 0.8.6k, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de (1) el parámetro view_type en el archivo graph.php; (2) el parámetro filter en el archivo graph_view.php; (3) el parámetro action en la función draw_navigation_text en el archivo lib/functions.php, accesible por medio del archivo index.php (también conocido como la página de inicio de sesión) o el archivo data_input.php; o (4) el parámetro login_username en el archivo index.php. • https://www.exploit-db.com/exploits/31158 https://www.exploit-db.com/exploits/31157 http://bugs.cacti.net/view.php?id=1245 http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://secunia.com/advisories/30045 http://security.gentoo.org/glsa/glsa-200803-18.xml http://securityreason.com/securityalert/3657 http&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 1CVE-2008-0784
https://notcve.org/view.php?id=CVE-2008-0784
graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors. Graph.php en Cacti 0.8.7 anterior a 0.8.7b y 0.8.6 anterior a 0.8.6k, permite a atacantes remotos obtener la ruta completa a través de un parámetro local_graph_id inválido y otros vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://security.gentoo.org/glsa/glsa-200803-18.xml http://securityreason.com/securityalert/3657 http://www.cacti.net/release_notes_0_8_7b.php http://www.mandriva.com/security/advisories?name=MDVSA-2008:052 http://www.securityfocus.com/archive/1/488013/100/0/thr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 5CVE-2008-0785 – Cacti 0.8.7 - '/index.php/sql.php?Login Action login_username' SQL Injection
https://notcve.org/view.php?id=CVE-2008-0785
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login. Múltiples vulnerabilidades de inyección SQL en Cacti 0.8.7 anterior a 0.8.7b y 0.8.6 anterior a 0.8.6k. que permite a usuarios autentificados remotamente ejecutar comandos SQL de su elección a través de los parámetros: (1) graph_list a graph_view.php, (2) leaf_id e id a tree.php, (3) local_graph_id a graph_xport.php y (4) login_username a index.php/login. • https://www.exploit-db.com/exploits/31161 https://www.exploit-db.com/exploits/31156 https://www.exploit-db.com/exploits/31160 https://www.exploit-db.com/exploits/31159 http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://secunia.com/advisories/30045 http://security.gentoo.org/glsa/glsa-200803-18.xml h • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 0CVE-2008-0786
https://notcve.org/view.php?id=CVE-2008-0786
CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en Cacti 0.8.7 anterior a 0.8.7b y 0.8.6 anterior a 0.8.6k, cuando se ejecuta en intérpretes PHP antiguos, permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques de división de respuesta HTTP a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/28872 http://secunia.com/advisories/28976 http://secunia.com/advisories/29242 http://secunia.com/advisories/29274 http://security.gentoo.org/glsa/glsa-200803-18.xml http://securityreason.com/securityalert/3657 http://www.cacti.net/release_notes_0_8_7b.php http://www.mandriva.com/security/advisories?name=MDVSA-2008:052 http://www.securityfocus.com/archive/1/488013/100/0/thr • CWE-94: Improper Control of Generation of Code ('Code Injection') •