CVE-2023-30534

Name of the Vulnerable Software and Affected Versions Cacti versions 1.2.24

Description The issue is related to insecure deserialization in Cacti, specifically within the host new graphs save function in graphs new.php. This is due to the use of the unserialize function without sanitizing user input. Although a viable gadget chain exists in Cacti's vendor directory, the necessary gadgets are not included, making the insecure deserializations not exploitable. It is estimated that about 16,674 results are potentially affected. The issue has been addressed in version 1.2.25.

Recommendations For Cacti version 1.2.24, upgrade to version 1.2.25 to resolve the issue. As a temporary workaround, consider restricting access to the graphs new.php file or disabling the host new graphs save function until the upgrade can be applied. Avoid using the unserialize function without proper sanitization of user input.