Shodan
Vulnerabilities
Vulnerable Software
Cacti:  Security Vulnerabilities
CVE-2017-16660
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
CVSS Score
7.2
EPSS Score
0.015
Published
2017-11-08
CVE-2017-16661
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
CVSS Score
4.9
EPSS Score
0.002
Published
2017-11-08
CVE-2017-16641
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.
CVSS Score
7.2
EPSS Score
0.005
Published
2017-11-07
CVE-2017-15194
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-10-11
CVE-2017-12978
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-08-21
CVE-2017-12927
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2017-08-18
CVE-2017-12065
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
CVSS Score
9.8
EPSS Score
0.033
Published
2017-08-01
CVE-2017-12066
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-08-01
CVE-2017-11691
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
CVSS Score
5.4
EPSS Score
0.005
Published
2017-07-27
CVE-2017-1000031
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
CVSS Score
8.8
EPSS Score
0.011
Published
2017-07-17


Products
Pricing
Contact Us

Shodan ® - All rights reserved