Search for packages
| purl | pkg:deb/debian/cacti@0.8.6i-3.6 |
| Next non-vulnerable version | 1.2.30+ds1-1 |
| Latest non-vulnerable version | 1.2.30+ds1-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17s1-2cfu-nfbg
Aliases: CVE-2007-3112 |
graph_image.php in Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_start or (2) graph_end parameter, different vectors than CVE-2007-3113. |
Affected by 113 other vulnerabilities. |
|
VCID-1ff1-vhuj-hkdc
Aliases: CVE-2021-3816 |
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php. |
Affected by 49 other vulnerabilities. |
|
VCID-1v2t-kcm2-efad
Aliases: CVE-2017-1000031 |
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. |
Affected by 72 other vulnerabilities. |
|
VCID-29q9-twke-2bdx
Aliases: CVE-2018-20725 |
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. |
Affected by 49 other vulnerabilities. |
|
VCID-2wj2-hvma-mqcz
Aliases: CVE-2015-8377 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-2z9e-eg1f-bqg5
Aliases: CVE-2018-10060 |
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. |
Affected by 49 other vulnerabilities. |
|
VCID-34z4-1zqk-afcm
Aliases: CVE-2023-39515 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-3rsg-kswx-73bj
Aliases: CVE-2015-2967 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-3tqy-g42y-9fef
Aliases: CVE-2020-25706 |
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field |
Affected by 25 other vulnerabilities. |
|
VCID-3x9k-en7a-nkht
Aliases: CVE-2016-3659 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 72 other vulnerabilities. |
|
VCID-3y7d-ujep-4ydm
Aliases: CVE-2024-34340 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-44fx-4w2y-y3dy
Aliases: CVE-2024-31458 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-4twv-1yys-eban
Aliases: CVE-2025-22604 |
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29. |
Affected by 3 other vulnerabilities. |
|
VCID-4ytj-s8hh-6bd5
Aliases: CVE-2011-4824 |
SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter. |
Affected by 101 other vulnerabilities. |
|
VCID-5dm9-jpwc-gkeu
Aliases: CVE-2010-1645 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-5ykb-6nvx-k3e4
Aliases: CVE-2023-39362 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-6dxh-qpg7-q7g8
Aliases: CVE-2010-2544 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-6n31-d4xy-d3fj
Aliases: CVE-2017-12927 |
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. |
Affected by 49 other vulnerabilities. |
|
VCID-6t6n-ws5n-wkay
Aliases: CVE-2024-31443 |
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-6ze5-dqdn-ykg3
Aliases: CVE-2024-45598 |
Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29. |
Affected by 3 other vulnerabilities. |
|
VCID-77tn-swar-87ec
Aliases: CVE-2013-5588 |
several |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-7dp4-9zks-mbgd
Aliases: CVE-2018-10061 |
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). |
Affected by 49 other vulnerabilities. |
|
VCID-7fvn-b8hn-dqeh
Aliases: CVE-2016-3172 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 72 other vulnerabilities. |
|
VCID-7m68-seeq-tuae
Aliases: CVE-2025-24368 |
Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerability is fixed in 1.2.29. |
Affected by 3 other vulnerabilities. |
|
VCID-7mht-4urq-13ek
Aliases: CVE-2015-2665 |
security update |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-7p95-t48a-hkdb
Aliases: CVE-2008-0784 |
Multiple vulnerabilities were discovered in Cacti. |
Affected by 113 other vulnerabilities. |
|
VCID-85gc-u991-z3dw
Aliases: CVE-2024-25641 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-86gq-jsgy-8uep
Aliases: CVE-2021-23225 |
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. |
Affected by 49 other vulnerabilities. |
|
VCID-88mp-1anp-m3g5
Aliases: CVE-2010-2545 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-89pf-69jk-syfk
Aliases: CVE-2018-20724 |
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. |
Affected by 49 other vulnerabilities. |
|
VCID-8j9j-nau8-a7cd
Aliases: CVE-2014-2708 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-8nbc-ethb-6kcn
Aliases: CVE-2019-17358 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 72 other vulnerabilities. Affected by 49 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-8pnc-kuf5-jqda
Aliases: CVE-2015-8369 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-9fdf-h49c-5qcj
Aliases: CVE-2016-2313 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 72 other vulnerabilities. |
|
VCID-9snd-k1cz-gyb5
Aliases: CVE-2017-15194 |
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. |
Affected by 49 other vulnerabilities. |
|
VCID-9swv-zvke-ubet
Aliases: CVE-2020-8813 |
Multiple vulnerabilities have been found in Cacti, the worst of which could result in the arbitrary execution of code. |
Affected by 25 other vulnerabilities. |
|
VCID-9vce-mkth-v3gn
Aliases: CVE-2017-12066 |
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163. |
Affected by 49 other vulnerabilities. |
|
VCID-a8j1-24bw-gudu
Aliases: CVE-2023-39364 |
security update |
Affected by 25 other vulnerabilities. |
|
VCID-aajr-s1n1-4ybu
Aliases: CVE-2017-12065 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 49 other vulnerabilities. |
|
VCID-afss-mcgj-7bce
Aliases: CVE-2017-11691 |
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. |
Affected by 49 other vulnerabilities. |
|
VCID-akj7-kh8f-97ct
Aliases: CVE-2023-49088 |
security update |
Affected by 25 other vulnerabilities. |
|
VCID-ante-y18a-yyg7
Aliases: CVE-2015-4454 |
security update |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-atbu-eegm-3ufy
Aliases: CVE-2014-2326 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-ay5a-nkmf-5yar
Aliases: CVE-2023-49086 |
security update |
Affected by 25 other vulnerabilities. |
|
VCID-b8nc-qman-zkcd
Aliases: CVE-2014-5261 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-be57-gxmc-vqd4
Aliases: CVE-2024-43362 |
Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-bj2d-v5dw-ykc7
Aliases: CVE-2009-4112 |
Cacti: Privilege escalation under certain conditions |
Affected by 49 other vulnerabilities. |
|
VCID-bwzz-1txv-3kam
Aliases: CVE-2017-1000032 |
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. |
Affected by 86 other vulnerabilities. |
|
VCID-c2b8-ss11-9yhq
Aliases: CVE-2023-39360 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-c4w5-q88d-z3hg
Aliases: CVE-2018-10059 |
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. |
Affected by 49 other vulnerabilities. |
|
VCID-cre7-1uhc-bka2
Aliases: CVE-2019-16723 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 25 other vulnerabilities. |
|
VCID-cv9v-rynk-m7eb
Aliases: CVE-2013-1435 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-cxs3-zh36-m7en
Aliases: CVE-2020-7106 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 25 other vulnerabilities. |
|
VCID-d7db-n89n-qyd8
Aliases: CVE-2023-49084 |
security update |
Affected by 25 other vulnerabilities. |
|
VCID-dbsu-au7h-xbcv
Aliases: CVE-2014-5025 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-dcnt-ev6f-tydd
Aliases: CVE-2015-8604 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-ddq2-myvr-wfgz
Aliases: CVE-2011-5223 |
Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
Affected by 101 other vulnerabilities. |
|
VCID-djgb-xu1j-53fb
Aliases: CVE-2014-4002 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-dycc-rydh-kycy
Aliases: CVE-2010-2092 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-e48s-dv1e-4fgn
Aliases: CVE-2020-13231 |
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. |
Affected by 25 other vulnerabilities. |
|
VCID-fhtp-y9a5-vqgj
Aliases: CVE-2024-31445 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-fq36-1r9h-aff2
Aliases: CVE-2013-5589 |
several |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-fwp2-z586-ebbq
Aliases: CVE-2019-17357 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 25 other vulnerabilities. |
|
VCID-gdfw-gryt-8qhg
Aliases: CVE-2017-10970 |
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php. |
Affected by 49 other vulnerabilities. |
|
VCID-gds4-k19q-ryf6
Aliases: CVE-2008-0785 |
Multiple vulnerabilities were discovered in Cacti. |
Affected by 113 other vulnerabilities. |
|
VCID-h3qa-svy4-1fcr
Aliases: CVE-2023-49085 |
security update |
Affected by 25 other vulnerabilities. |
|
VCID-hb4z-bmkm-akee
Aliases: CVE-2016-10700 |
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313. |
Affected by 72 other vulnerabilities. |
|
VCID-hj89-pnag-3fer
Aliases: CVE-2024-43363 |
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-huf2-qwju-6bf2
Aliases: CVE-2023-39365 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-hwep-pw4e-efh5
Aliases: CVE-2015-4342 |
security update |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-jg8r-f76d-rke1
Aliases: CVE-2009-4032 |
cacti: Multiple cross-site scripting flaws |
Affected by 105 other vulnerabilities. |
|
VCID-jkca-shmj-mbbu
Aliases: CVE-2024-31459 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-jmv3-vh81-zfdq
Aliases: CVE-2022-48547 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 101 other vulnerabilities. |
|
VCID-k6z6-4pb4-tbeu
Aliases: CVE-2020-23226 |
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php. |
Affected by 25 other vulnerabilities. |
|
VCID-k7kv-za2s-dud5
Aliases: CVE-2024-31460 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-khhn-9sja-sfgr
Aliases: CVE-2025-24367 |
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29. |
Affected by 3 other vulnerabilities. |
|
VCID-kkn3-ars7-gkbk
Aliases: CVE-2018-20723 |
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. |
Affected by 49 other vulnerabilities. |
|
VCID-m6nf-2ppj-4fhg
Aliases: CVE-2010-2543 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-mebp-4rfu-vqcq
Aliases: CVE-2024-47875 GHSA-gx9m-whjm-85jf |
DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098) |
Affected by 3 other vulnerabilities. |
|
VCID-nbfc-ex1y-37he
Aliases: CVE-2018-20726 |
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. |
Affected by 49 other vulnerabilities. |
|
VCID-p2u2-5yuu-jydy
Aliases: CVE-2021-26247 |
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter. |
Affected by 101 other vulnerabilities. |
|
VCID-p74d-rbz3-sbb3
Aliases: CVE-2007-6035 |
An SQL injection vulnerability has been discovered in Cacti. |
Affected by 113 other vulnerabilities. |
|
VCID-pau5-hfbv-nucp
Aliases: CVE-2023-39513 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-pwrm-brmn-j7cc
Aliases: CVE-2014-2328 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-q88b-smmh-77ga
Aliases: CVE-2017-16660 |
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. |
Affected by 49 other vulnerabilities. |
|
VCID-qbvv-frc2-rqbk
Aliases: CVE-2017-16641 |
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. |
Affected by 49 other vulnerabilities. |
|
VCID-qncj-2u1d-7bgu
Aliases: CVE-2019-11025 |
In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. |
Affected by 49 other vulnerabilities. |
|
VCID-qnz1-w7bb-97ee
Aliases: CVE-2022-41444 |
Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php. |
Affected by 3 other vulnerabilities. |
|
VCID-qvkt-vk55-4bbx
Aliases: CVE-2020-35701 |
A vulnerability in Cacti could lead to remote code execution. |
Affected by 25 other vulnerabilities. |
|
VCID-rftg-byj2-jkh9
Aliases: CVE-2023-37543 |
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. |
Affected by 25 other vulnerabilities. |
|
VCID-rrpb-xhca-dkcf
Aliases: CVE-2014-2327 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-s8du-gzj2-gkc1
Aliases: CVE-2024-43364 |
Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-sb43-hapb-1uf2
Aliases: CVE-2023-39357 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-scas-pk48-tyc4
Aliases: CVE-2008-0783 |
Multiple vulnerabilities were discovered in Cacti. |
Affected by 113 other vulnerabilities. |
|
VCID-sdme-n5ez-67fw
Aliases: CVE-2010-1431 |
cacti: SQL injection vulnerability (BONSAI-2010-0104) |
Affected by 105 other vulnerabilities. |
|
VCID-ses2-y1j2-vbbx
Aliases: CVE-2020-14295 |
Multiple vulnerabilities have been found in Cacti, the worst of which could result in the arbitrary execution of code. |
Affected by 25 other vulnerabilities. |
|
VCID-sx2t-uzae-2fh9
Aliases: CVE-2024-54145 |
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the get_discovery_results function of automation_devices.php using the network parameter. This vulnerability is fixed in 1.2.29. |
Affected by 3 other vulnerabilities. |
|
VCID-t9my-r77a-w7ga
Aliases: CVE-2008-0786 |
Multiple vulnerabilities were discovered in Cacti. |
Affected by 113 other vulnerabilities. |
|
VCID-tsfy-6cbv-r7hf
Aliases: CVE-2015-4634 |
security update |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-tu9w-kh79-9kc8
Aliases: CVE-2013-1434 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-u478-39pb-tkay
Aliases: CVE-2017-12978 |
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. |
Affected by 49 other vulnerabilities. |
|
VCID-uj1s-uuyx-mya5
Aliases: CVE-2020-7237 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 25 other vulnerabilities. |
|
VCID-vbs9-gben-9kgc
Aliases: CVE-2024-48910 GHSA-p3vf-v8qc-cwcr |
DOMPurify vulnerable to tampering by prototype polution dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc |
Affected by 3 other vulnerabilities. |
|
VCID-vsjt-qjyw-hbfs
Aliases: CVE-2023-39359 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-w1vc-ugdq-aygx
Aliases: CVE-2017-11163 |
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. |
Affected by 49 other vulnerabilities. |
|
VCID-w7pb-rt12-y3gs
Aliases: CVE-2014-5262 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-wrxa-2us4-vkf9
Aliases: CVE-2020-13230 |
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). |
Affected by 25 other vulnerabilities. |
|
VCID-ws4h-295a-9qgx
Aliases: CVE-2023-39516 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-x1fg-6mq4-d7ds
Aliases: CVE-2017-16661 |
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. |
Affected by 49 other vulnerabilities. |
|
VCID-xbb2-av4z-m3dp
Aliases: CVE-2022-46169 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-xdbp-7rtr-fyb7
Aliases: CVE-2024-43365 |
Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-xpvn-y3b8-skgb
Aliases: CVE-2022-0730 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-y683-kz6e-afhv
Aliases: CVE-2024-31444 |
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-y6jw-jm1g-ubgx
Aliases: CVE-2010-1644 |
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. |
Affected by 105 other vulnerabilities. |
|
VCID-ya95-dsw9-pfhw
Aliases: CVE-2014-5026 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-ybx7-gpq4-33ha
Aliases: CVE-2014-2709 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to arbitrary code execution. |
Affected by 101 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-yjny-ubdp-7few
Aliases: CVE-2017-16785 |
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. |
Affected by 49 other vulnerabilities. |
|
VCID-ypan-57sx-vyam
Aliases: CVE-2023-39361 |
Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation. |
Affected by 25 other vulnerabilities. |
|
VCID-z2hd-9r1a-x7gr
Aliases: CVE-2007-3113 |
Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_height or (2) graph_width parameter, different vectors than CVE-2007-3112. |
Affected by 113 other vulnerabilities. |
|
VCID-zwne-uyfj-5bf8
Aliases: CVE-2014-4000 |
Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. |
Affected by 72 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||