Bugzilla – Bug 1214170
VUL-0: CVE-2023-37543: cacti: Insecure direct object reference via a modified local_graph_id parameter to graph_xport.php
Last modified: 2023-09-26 19:17:27 UTC
CVE-2023-37543 Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37543 https://bugzilla.redhat.com/show_bug.cgi?id=2231140 https://www.cve.org/CVERecord?id=CVE-2023-37543 https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj https://medium.com/@hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
The report is a bit strange, I assume that the next version might contain the fix (1.2.25) Still open for Factory and Backports
The older CVE-2019-16723 was fixed in 1.2.7 in https://github.com/Cacti/cacti/issues/2964 with > -security#2964: CVE-2019-16723 Security issue allows to view all graphs So someone seems to have made a typo. Let's assume that it affects <= 1.2.24 (the current release) and is fixed in the next version, probably 1.2.25. There is already content there: > -SECURITY#5318: Multiple minor stored XSS vulnerabilities in Cacti 1.2.24 > -SECURITY#5348: Unchecked Regular expressions can lead to privilege escalation and data leakage > -SECURITY: Protect against certain SQL Injection attacks > -SECURITY: Protect against certain command level injections in snmp functions > -SECURITY: Protect against SQL Injection in graphs.php > -SECURITY: Protect against SQL Injection in reports_user.php > -SECURITY: Protext against Reflected XSS in graphs_new.php
This seems to have been fixed with the update to 1.2.25 issued for the child bugs of bug 1215024