CVE-2023-37543 — Authorization Bypass Through User-Controlled Key in Cacti

CWE-639 — Authorization Bypass Through User-Controlled Key4 documents4 sources

Severity

7.5HIGHNVD

OSV4.3

EPSS

0.6%

top 30.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedAug 10

Description

Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDcacti/cacti< 1.2.6

▶debiandebian/cacti< cacti 1.2.6+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.2.6+ds1-1+3

🔴Vulnerability Details

GHSA

GHSA-6cj8-h4pg-p2jv: Cacti before 1↗2023-08-10

▶

OSV

CVE-2023-37543: Cacti before 1↗2023-08-10

▶

📋Vendor Advisories

Debian

CVE-2023-37543: cacti - Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing ...↗2023

▶