CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 26CVE-2022-46169 – Cacti Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-46169
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. • https://www.exploit-db.com/exploits/51166 https://github.com/0xf4n9x/CVE-2022-46169 https://github.com/sAsPeCt488/CVE-2022-46169 https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22 https://github.com/c3rrberu5/CVE-2022-46169 https://github.com/Inplex-sys/CVE-2022-46169 https://github.com/taythebot/CVE-2022-46169 https://github.com/Habib0x0/CVE-2022-46169 https://github.com/ruycr4ft/CVE-2022-46169 https://github.com/a1665454764/CVE-2022-46169 https://github& • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14424
https://notcve.org/view.php?id=CVE-2020-14424
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. Cacti versiones anteriores a 1.2.18, permite a atacantes remotos desencadenar un ataque de tipo XSS por medio de la importación de plantillas para el tema midwinter • https://bugzilla.redhat.com/show_bug.cgi?id=2001016 https://github.com/Cacti/cacti/pull/4261 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 1CVE-2020-35701
https://notcve.org/view.php?id=CVE-2020-35701
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. Se detectó un problema en Cacti versiones 1.2.x hasta 1.2.16. Una vulnerabilidad de inyección SQL en el archivo data_debug.php permite a atacantes autenticados remotos ejecutar comandos SQL arbitrarios por medio del parámetro site_id. • https://asaf.me/2020/12/15/cacti-1-2-0-to-1-2-16-sql-injection https://github.com/Cacti/cacti/issues/4022 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DDD22Z56THHDTXAFM447UH3BVINURIF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7DPUWZBAMCXFKAKUAJSHL3CKTOLGAK6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBKBR2MFZJ6C2I4I5PCRR6UERPY24XZN https://security.gentoo.org/glsa/202101-31 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2020-25706
https://notcve.org/view.php?id=CVE-2020-25706
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo templates_import.php (Cacti versión 1.2.13) debido al escape inapropiado del mensaje de error durante la vista previa de la importación de la plantilla en el campo xml_path • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25706 https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e https://github.com/Cacti/cacti/issues/3723 https://lists.debian.org/debian-lts-announce/2022/12/msg00039.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •