CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2018-10060
https://notcve.org/view.php?id=CVE-2018-10060
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que no rechaza correctamente los caracteres no deseados. Esto se relaciona con el uso de la función sanitize_uri en lib/functions.php. • http://www.securitytracker.com/id/1040620 https://github.com/Cacti/cacti/issues/1457 https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html https://www.cacti.net/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2018-10061
https://notcve.org/view.php?id=CVE-2018-10061
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que realiza ciertas llamadas htmlspecialchars sin la marca ENT_QUOTES (estas llamadas ocurren cuando no se emplea la función html_escape en lib/html.php). • http://www.securitytracker.com/id/1040620 https://github.com/Cacti/cacti/issues/1457 https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html https://www.cacti.net/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10059
https://notcve.org/view.php?id=CVE-2018-10059
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. Cacti, en versiones anteriores a la 1.1.37, tiene Cross-Site Scripting (XSS) debido a que la función get_current_page en lib/functions.php depende de $_SERVER['PHP_SELF'] en lugar de $_SERVER['SCRIPT_NAME'] para determinar un nombre de página. • http://www.securitytracker.com/id/1040620 https://github.com/Cacti/cacti/issues/1457 https://www.cacti.net/changelog.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10700
https://notcve.org/view.php?id=CVE-2016-10700
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313. auth_login.php en versiones anteriores a la 1.0.0 de Cacti permite que usuarios autenticados remotos que emplean la autenticación web omitan las restricciones de acceso planeadas iniciando sesión como usuario que no está en la base de datos de Cacti, ya que el usuario invitado no está considerado. NOTA: Esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-2313. • http://bugs.cacti.net/view.php?id=2697 http://www.cacti.net/release_notes_1_0_0.php https://github.com/Cacti/cacti/commit/69983495cd41bf0903fe02baeef84b1fa85f2846 https://web.archive.org/web/20160817090458/http://bugs.cacti.net/view.php?id=2697 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4000
https://notcve.org/view.php?id=CVE-2014-4000
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). Cacti en versiones anteriores a la 1.0.0 permite que usuarios remotos autenticados lleven a cabo ataques de inyección de objetos PHP y ejecuten código PHP arbitrario mediante un objeto serializado manipulado, relacionado con la llamada a unserialize(stripslashes()). • https://forums.cacti.net/viewtopic.php?f=4&t=56794 https://security-tracker.debian.org/tracker/CVE-2014-4000 https://security.gentoo.org/glsa/201711-10 https://www.cacti.net/release_notes_1_0_0.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •