Vulnerabilities
Vulnerable Software
Cacti:  Security Vulnerabilities
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-10-11
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVSS Score
5.4
EPSS Score
0.008
Published
2017-08-21
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
CVSS Score
6.1
EPSS Score
0.014
Published
2017-08-18
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
CVSS Score
9.8
EPSS Score
0.029
Published
2017-08-01
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
CVSS Score
5.4
EPSS Score
0.014
Published
2017-08-01
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
CVSS Score
5.4
EPSS Score
0.02
Published
2017-07-27
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
CVSS Score
8.8
EPSS Score
0.014
Published
2017-07-17
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
CVSS Score
6.1
EPSS Score
0.009
Published
2017-07-17
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
CVSS Score
5.4
EPSS Score
0.013
Published
2017-07-10
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.
CVSS Score
5.4
EPSS Score
0.006
Published
2017-07-06


Contact Us

Shodan ® - All rights reserved