CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16723
https://notcve.org/view.php?id=CVE-2019-16723
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. En Cacti versiones hasta 1.2.6, los usuarios autenticados pueden omitir las comprobaciones de autorización (para visualizar un gráfico) por medio de una petición directa del archivo graph_json.php con un parámetro local_graph_id modificado. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html https://github.com/Cacti/cacti/issues/2964 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZO3ROHHPKLH2JRW7ES5FYSQTWIPNVLQB https://lists.fedoraproject.org/archives/list/package • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2019-11025
https://notcve.org/view.php?id=CVE-2019-11025
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. En clearFilter() en utilities.php en Cacti versiones anteriores a 1.2.3, no se produce ningún escape antes de imprimir el valor de la cadena de comunidad SNMP (Opciones SNMP) en la caché View poller, lo que conduce a XSS. • https://github.com/Cacti/cacti/compare/6ea486a...99995bb https://github.com/Cacti/cacti/issues/2581 https://lists.debian.org/debian-lts-announce/2019/04/msg00017.html https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20724
https://notcve.org/view.php?id=CVE-2018-20724
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. Existe una vulnerabilidad Cross-Site Scripting (XSS) en pollers.php en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en el campo nombre de host del sitio web para los recolectores de datos. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html https://github.com/Cacti/cacti/blob/develop/CHANGELOG https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53 https://github.com/Cacti/cacti/issues/2212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20726
https://notcve.org/view.php?id=CVE-2018-20726
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. Existe una vulnerabilidad Cross-Site Scripting (XSS) en host.php (mediante tree.php) en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en el campo Website Hostname de Devices. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html https://github.com/Cacti/cacti/blob/develop/CHANGELOG https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d https://github.com/Cacti/cacti/issues/2213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20725
https://notcve.org/view.php?id=CVE-2018-20725
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. Existe una vulnerabilidad Cross-Site Scripting (XSS) en graph_templates.php en Cacti, en versiones anteriores a la 1.2.0, debido a la falta de escapado de caracteres no planeados en Graph Vertical Label. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html https://github.com/Cacti/cacti/blob/develop/CHANGELOG https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d https://github.com/Cacti/cacti/issues/2214 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •