CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7058
https://notcve.org/view.php?id=CVE-2020-7058
15 Jan 2020 — data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm. ** EN DISPUTA** el archivo data_input.php en Cacti versión 1.2.8, permite una ejecución de código remota por medio de una Cadena de Entrada diseñada en Data Collection-) Data Input Methods -) Unix -) Ping Host. NOTA: el vendedor ha declarado "Esto es una falsa alarma". • https://github.com/Cacti/cacti/issues/3186 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 1%CPEs: 3EXPL: 1CVE-2019-17358 – Debian Security Advisory 4604-1
https://notcve.org/view.php?id=CVE-2019-17358
12 Dec 2019 — Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. Cacti versiones hasta 1.2.7, está afectado por múltiples instancias de deserialización no segura de la biblioteca lib/functions.php de datos controlados por parte del usuario para llenar matrices. Un atac... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-502: Deserialization of Untrusted Data CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16723 – Debian Security Advisory 4604-1
https://notcve.org/view.php?id=CVE-2019-16723
23 Sep 2019 — In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. En Cacti versiones hasta 1.2.6, los usuarios autenticados pueden omitir las comprobaciones de autorización (para visualizar un gráfico) por medio de una petición directa del archivo graph_json.php con un parámetro local_graph_id modificado. Multiple issues have been found in cacti, a server monitoring system, potentially resulting in ... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2019-11025
https://notcve.org/view.php?id=CVE-2019-11025
08 Apr 2019 — In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. En clearFilter() en utilities.php en Cacti versiones anteriores a 1.2.3, no se produce ningún escape antes de imprimir el valor de la cadena de comunidad SNMP (Opciones SNMP) en la caché View poller, lo que conduce a XSS. • https://github.com/Cacti/cacti/compare/6ea486a...99995bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20724
https://notcve.org/view.php?id=CVE-2018-20724
16 Jan 2019 — A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. Existe una vulnerabilidad Cross-Site Scripting (XSS) en pollers.php en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en el campo nombre de host del sitio web para los recolectores de datos. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20723
https://notcve.org/view.php?id=CVE-2018-20723
16 Jan 2019 — A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. Existe una vulnerabilidad Cross-Site Scripting (XSS) en color_templates.php en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en el campo Name de un color. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20725
https://notcve.org/view.php?id=CVE-2018-20725
16 Jan 2019 — A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. Existe una vulnerabilidad Cross-Site Scripting (XSS) en graph_templates.php en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en Graph Vertical Label. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20726
https://notcve.org/view.php?id=CVE-2018-20726
16 Jan 2019 — A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. Existe una vulnerabilidad Cross-Site Scripting (XSS) en host.php (mediante tree.php) en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en el campo Website Hostname de Devices. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2018-10061
https://notcve.org/view.php?id=CVE-2018-10061
12 Apr 2018 — Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que realiza ciertas llamadas htmlspecialchars sin la marca ENT_QUOTES (estas llamadas ocurren cuando no se emplea la función html_escape en lib/html.php). • http://www.securitytracker.com/id/1040620 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10059
https://notcve.org/view.php?id=CVE-2018-10059
12 Apr 2018 — Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que la función get_current_page en lib/functions.php depende de $_SERVER['PHP_SELF'] en lugar de $_SERVER['SCRIPT_NAME'] para determinar un nombre de página. • http://www.securitytracker.com/id/1040620 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •