CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39366 – Stored Cross-site Scripting in data_sources.php through Device-Name in 'select' input in Cacti
https://notcve.org/view.php?id=CVE-2023-39366
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The `data_sources.php` script displays the data source management information (e.g. data source path, polling configuration etc.) for different d... • https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39510 – Stored Cross-site Scripting in reports_admin.php through Device-Name in 'select' input in Cacti
https://notcve.org/view.php?id=CVE-2023-39510
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The`reports_admin.php` script displays reporting information about graphs, devices, data sources etc. CENSUS found that an adversary that is able... • https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39512 – Stored Cross-site Scripting on data_sources.php device name view in Cacti
https://notcve.org/view.php?id=CVE-2023-39512
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration, device n... • https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39513 – Stored Cross-site Scripting on host.php verbose data-query debug view in Cacti
https://notcve.org/view.php?id=CVE-2023-39513
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `host.php` is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries ... • https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39515 – Stored Cross-site Scripting on data_debug.php datasource path view in Cacti
https://notcve.org/view.php?id=CVE-2023-39515
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_debug.php` displays data source related debugging information such as _data source paths, polling settings, meta-data on the d... • https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-39514 – Stored Cross-site Scripting on graphs.php data template formated name view in Cacti
https://notcve.org/view.php?id=CVE-2023-39514
05 Sep 2023 — Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `graphs.php` displays graph details such as data-source paths, data template information and graph related fields. _CENSUS... • https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48547 – Gentoo Linux Security Advisory 202412-02
https://notcve.org/view.php?id=CVE-2022-48547
22 Aug 2023 — A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. Versions greater than or equal to 1.2.26 are affected. • https://github.com/Cacti/cacti/issues/1882 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37543
https://notcve.org/view.php?id=CVE-2023-37543
10 Aug 2023 — Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. Cacti anterior a 1.2.6 permite IDOR (Referencia directa a objetos inseguros) para acceder a cualquier gráfico a través de un parámetro local_graph_id modificado en graph_xport.php. Esta es una vulnerabilidad diferente a CVE-2019-16723. • https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 96%CPEs: 1EXPL: 37CVE-2022-46169 – Cacti Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-46169
05 Dec 2022 — Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_c... • https://packetstorm.news/files/id/171608 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26247
https://notcve.org/view.php?id=CVE-2021-26247
19 Jan 2022 — As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. Como usuario remoto no autenticado, visita "http:///auth_changepassword.php?ref=" para ejecutar con éxito la carga útil de JavaScript presente en el parámetro "ref" de la URL • https://www.cacti.net/info/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •