CVE-2021-3816
https://notcve.org/view.php?id=CVE-2021-3816
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. Cacti versión 1.1.38, permite a usuarios autenticados con permisos de administración de usuarios inyectar HTML arbitrario en el campo group_prefix durante la creación de un nuevo grupo por medio del método "Copy" en el archivo user_group_admin.php • https://www.cacti.net/info/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-14424
https://notcve.org/view.php?id=CVE-2020-14424
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. Cacti versiones anteriores a 1.2.18, permite a atacantes remotos desencadenar un ataque de tipo XSS por medio de la importación de plantillas para el tema midwinter • https://bugzilla.redhat.com/show_bug.cgi?id=2001016 https://github.com/Cacti/cacti/pull/4261 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-23226
https://notcve.org/view.php?id=CVE-2020-23226
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. Se presentan múltiples vulnerabilidades de tipo Cross Site Scripting (XSS) en Cacti versión 1.2.12, en los archivos (1) reports_admin.php, (2) data_queries.php, (3) datat.ph_inpup, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, y (7) data_input.php • https://github.com/Cacti/cacti/issues/3549 https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html https://lists.debian.org/debian-lts-announce/2022/12/msg00039.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-35701
https://notcve.org/view.php?id=CVE-2020-35701
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. Se detectó un problema en Cacti versiones 1.2.x hasta 1.2.16. Una vulnerabilidad de inyección SQL en el archivo data_debug.php permite a atacantes autenticados remotos ejecutar comandos SQL arbitrarios por medio del parámetro site_id. • https://asaf.me/2020/12/15/cacti-1-2-0-to-1-2-16-sql-injection https://github.com/Cacti/cacti/issues/4022 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DDD22Z56THHDTXAFM447UH3BVINURIF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7DPUWZBAMCXFKAKUAJSHL3CKTOLGAK6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBKBR2MFZJ6C2I4I5PCRR6UERPY24XZN https://security.gentoo.org/glsa/202101-31 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-25706
https://notcve.org/view.php?id=CVE-2020-25706
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo templates_import.php (Cacti versión 1.2.13) debido al escape inapropiado del mensaje de error durante la vista previa de la importación de la plantilla en el campo xml_path • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25706 https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e https://github.com/Cacti/cacti/issues/3723 https://lists.debian.org/debian-lts-announce/2022/12/msg00039.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •