K0Pak4

**Name of the Vulnerable Software and Affected Versions** Cacti versions 1.2.24 **Description** The issue is related to insecure deserialization in Cacti, specifically within the `host new graphs save` function in `graphs new.php`. This is due to the use of the `unserialize` function without sanitizing user input. Although a viable gadget chain exists in Cacti's vendor directory, the necessary gadgets are not included, making the insecure deserializations not exploitable. It is estimated that about 16,674 results are potentially affected. The issue has been addressed in version 1.2.25. **Recommendations** For Cacti version 1.2.24, upgrade to version 1.2.25 to resolve the issue. As a temporary workaround, consider restricting access to the `graphs new.php` file or disabling the `host new graphs save` function until the upgrade can be applied. Avoid using the `unserialize` function without proper sanitization of user input.