CVE-2023-37543

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.6

Description The issue is related to an Insecure Direct Object Reference (IDOR) in the graph xport.php component, allowing unauthorized access to any graph via a modified local graph id parameter. This can enable a remote attacker to gain unauthorized access to protected information due to an error in handling user-controlled authorization keys.

Recommendations For versions prior to 1.2.6, update to version 1.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the graph xport.php component until a patch is applied. Avoid using the modified local graph id parameter in the graph xport.php endpoint until the issue is resolved.