CVSS: 10.0EPSS: 96%CPEs: 1EXPL: 37CVE-2022-46169 – Cacti Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-46169
05 Dec 2022 — Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_c... • https://packetstorm.news/files/id/171608 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-0730 – Debian Security Advisory 5298-1
https://notcve.org/view.php?id=CVE-2022-0730
03 Mar 2022 — Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. Bajo determinadas condiciones de ldap, la autenticación de Cacti puede ser omitida con determinados tipos de credenciales Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass. • https://github.com/Cacti/cacti/issues/4562 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26247
https://notcve.org/view.php?id=CVE-2021-26247
19 Jan 2022 — As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. Como usuario remoto no autenticado, visita "http:///auth_changepassword.php?ref=" para ejecutar con éxito la carga útil de JavaScript presente en el parámetro "ref" de la URL • https://www.cacti.net/info/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23225
https://notcve.org/view.php?id=CVE-2021-23225
19 Jan 2022 — Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. Cacti versión 1.1.38, permite a usuarios autenticados con permisos de administración de usuarios inyectar un script web o HTML arbitrario en el campo "new_username" durante la creación de un nuevo usuario por medio del método "Copy" en el archivo user_admin.php • https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3816
https://notcve.org/view.php?id=CVE-2021-3816
19 Jan 2022 — Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. Cacti versión 1.1.38, permite a usuarios autenticados con permisos de administración de usuarios inyectar HTML arbitrario en el campo group_prefix durante la creación de un nuevo grupo por medio del método "Copy" en el archivo user_group_admin.php • https://www.cacti.net/info/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14424 – Gentoo Linux Security Advisory 202412-02
https://notcve.org/view.php?id=CVE-2020-14424
14 Nov 2021 — Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. Cacti versiones anteriores a 1.2.18, permite a atacantes remotos desencadenar un ataque de tipo XSS por medio de la importación de plantillas para el tema midwinter Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. Versions greater than or equal to 1.2.26 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=2001016 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2020-23226
https://notcve.org/view.php?id=CVE-2020-23226
27 Aug 2021 — Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. Se presentan múltiples vulnerabilidades de tipo Cross Site Scripting (XSS) en Cacti versión 1.2.12, en los archivos (1) reports_admin.php, (2) data_queries.php, (3) datat.ph_inpup, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, y (7) data_input.php • https://github.com/Cacti/cacti/issues/3549 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 4EXPL: 1CVE-2020-35701 – Gentoo Linux Security Advisory 202101-31
https://notcve.org/view.php?id=CVE-2020-35701
11 Jan 2021 — An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. Se detectó un problema en Cacti versiones 1.2.x hasta 1.2.16. Una vulnerabilidad de inyección SQL en el archivo data_debug.php permite a atacantes autenticados remotos ejecutar comandos SQL arbitrarios por medio del parámetro site_id. • https://asaf.me/2020/12/15/cacti-1-2-0-to-1-2-16-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2020-25706
https://notcve.org/view.php?id=CVE-2020-25706
12 Nov 2020 — A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo templates_import.php (Cacti versión 1.2.13) debido al escape inapropiado del mensaje de error durante la vista previa de la importación de la plantilla en el campo xml_path • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25706 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 85%CPEs: 3EXPL: 8CVE-2020-14295 – Cacti 1.2.12 - 'filter' SQL Injection
https://notcve.org/view.php?id=CVE-2020-14295
17 Jun 2020 — A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. Un problema de inyección SQL en el archivo color.php en Cacti versión 1.2.12, permite a un administrador inyectar SQL por medio del parámetro filter. Esto puede conllevar a una ejecución de comandos remota porque el producto acepta consultas en pila Multiple vulnerabilities have been found in Cacti, the worst of whic... • https://packetstorm.news/files/id/162918 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •