CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16660
https://notcve.org/view.php?id=CVE-2017-16660
08 Nov 2017 — Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. La versión 1.1.27 de Cacti permite que administradores remotos autenticados lleven a cabo ataques de ejecución remota de código colocando la ruta de acceso a registros bajo la raíz web y, a continuación, realizando una petición remote_agent-php que contenga código PHP en una cabecera ... • https://github.com/Cacti/cacti/issues/1066 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16641
https://notcve.org/view.php?id=CVE-2017-16641
07 Nov 2017 — lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. lib/rrd.php en Cacti 1.1.27 permite que administradores remotos autenticados ejecuten comandos de sistema operativo arbitrarios mediante el parámetro path_rrdtool en una petición action=save en settings.php. • https://github.com/Cacti/cacti/issues/1057 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15194
https://notcve.org/view.php?id=CVE-2017-15194
10 Oct 2017 — include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. include/global_session.php en Cacti 1.1.25 tiene XSS relacionado con (1) la URI o (2) la acción refresh page. • http://www.securitytracker.com/id/1039569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12978
https://notcve.org/view.php?id=CVE-2017-12978
21 Aug 2017 — lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. lib/html.php en Cacti en versiones anteriores a la 1.1.18 tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) que se puede producir mediante el campo de título de un enlace externo añadido por un usuario autenticado. • http://www.securitytracker.com/id/1039226 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12927
https://notcve.org/view.php?id=CVE-2017-12927
18 Aug 2017 — A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en Cacti 1.1.17 en el parámetro method en spikekill.php. • http://www.securityfocus.com/bid/100490 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2017-12065 – Gentoo Linux Security Advisory 201711-10
https://notcve.org/view.php?id=CVE-2017-12065
01 Aug 2017 — spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. spikekill.php en Cacti en versiones anteriores a la 1.1.16 puede permitir a los atacantes remotos ejecutar código arbitrario mediante el parámetro avgnan, outlier-start o outlier-end. Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. Versions less than 1.1.20:1.1.20 are affected. • http://www.securityfocus.com/bid/100080 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12066
https://notcve.org/view.php?id=CVE-2017-12066
01 Aug 2017 — Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en aggregate_graphs.php en Cacti en versiones anteriores a la 1.1.16 permite que los usu... • https://cacti.net/release_notes.php?version=1.1.16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11691
https://notcve.org/view.php?id=CVE-2017-11691
27 Jul 2017 — Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. La vulnerabilidad de tipo cross-site-scripting (XSS) en el archivo auth_profile.php en Cacti versión 1.1.13, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio de encabezados Referer HTTP especialmente creados. • http://www.securityfocus.com/bid/100022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000032
https://notcve.org/view.php?id=CVE-2017-1000032
13 Jul 2017 — Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. Una vulnerabilidad de tipo Cross-Site scripting (XSS) en cactus versión 0.8.8b, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro parent_id en archivo tree.php y parámetro drp_action en archivo data_sources.php. • https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000031
https://notcve.org/view.php?id=CVE-2017-1000031
13 Jul 2017 — SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. Una vulnerabilidad de inyección SQL en el archivo graph_templates_inputs.php en Cacti versión 0.8.8b, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de los parámetros graph_template_input_id y graph_template_id. • https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •