Shodan
Vulnerabilities
Vulnerable Software
Cacti:  Security Vulnerabilities
CVE-2018-20723
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVSS Score
4.8
EPSS Score
0.005
Published
2019-01-16
CVE-2018-20724
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVSS Score
4.8
EPSS Score
0.006
Published
2019-01-16
CVE-2018-20725
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVSS Score
4.8
EPSS Score
0.005
Published
2019-01-16
CVE-2018-20726
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVSS Score
5.4
EPSS Score
0.005
Published
2019-01-16
CVE-2018-10059
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
CVSS Score
5.4
EPSS Score
0.003
Published
2018-04-12
CVE-2018-10060
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVSS Score
5.4
EPSS Score
0.007
Published
2018-04-12
CVE-2018-10061
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVSS Score
5.4
EPSS Score
0.01
Published
2018-04-12
CVE-2016-10700
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-2313.
CVSS Score
8.8
EPSS Score
0.007
Published
2017-11-24
CVE-2014-4000
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
CVSS Score
8.8
EPSS Score
0.011
Published
2017-11-15
CVE-2017-16785
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-11-10


Products
Pricing
Contact Us

Shodan ® - All rights reserved