CVE-2019-16723 — Authorization Bypass Through User-Controlled Key in Cacti

CWE-639 — Authorization Bypass Through User-Controlled Key11 documents5 sources

Severity

7.5HIGHNVD

NVD4.3OSV4.3

EPSS

0.3%

top 49.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedSep 23

Latest updateAug 10

Description

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDcacti/cacti< 1.2.6+1

▶debiandebian/cacti< cacti 1.2.7+ds1-1 (bookworm)+1

▶Debiancacti/cacti< 1.2.7+ds1-1+7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-6cj8-h4pg-p2jv: Cacti before 1↗2023-08-10

▶

OSV

CVE-2023-37543: Cacti before 1↗2023-08-10

▶

GHSA

GHSA-w66m-7qj6-9pv2: In Cacti through 1↗2022-05-24

▶

OSV

CVE-2019-16723: In Cacti through 1↗2019-09-23

▶

📋Vendor Advisories

Debian

CVE-2023-37543: cacti - Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing ...↗2023

▶

Debian

CVE-2019-16723: cacti - In Cacti through 1.2.6, authenticated users may bypass authorization checks (for...↗2019

▶

💬Community

Bugzilla

CVE-2019-16723 cacti: Authentication bypass via graph_json.php request↗2019-11-06

▶

Bugzilla

CVE-2019-16723 cacti: Authentication bypass via graph_json.php request [epel-all]↗2019-11-06

▶

Bugzilla

CVE-2019-16723 cacti: Authentication bypass via graph_json.php request [fedora-all]↗2019-11-06

▶