DescriptionCacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)bullseye (security), bullseye1.2.16+ds1-2+deb11u3fixed
bookworm, bookworm (security)1.2.24+ds1-1+deb12u2fixed
sid, trixie1.2.27+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - cacti <ignored> (Unclear issue; can only be reproduced by reverting CVE-2019-16723 fixes; probably a different vector of the same vulnerability) (404)
Not possible to pinpoint exact fix, but upstream confirms that the fix is in
1.2.6 upstream, cf.
and surrounding questions.

Search for package or bug name: Reporting problems