Serious security issue allows to view all graphs

[georgek1]

I have created a user with no group membership. Graph permission default is DENY and I have selected all graphs Restricted instead of 1. I have device params default DENY and only set to specific one. Template perm is set to DENY. Tree Perms is also default DENY and I set to access only a specific one. When I login with that user I see only one option in tree and when I click on the device I see the graph. Everything is fine. But if I take the url

domain.com/graph_json.php?rra_id=0&local_graph_id=3205&graph_start=1569069730&graph_end=1569156130&graph_height=120&graph_width=500

and change the local_graph_id with another value ie 5312 I get a response and inside that response I see the image which is base64. If I decode and create png I can see the other graph that I dont have permission to see.

I tried to update to latest cacti 1.2.6 and it still get that security issue. Any idea? Is that a cacti bug or am I doing something wrong?

[netniV]

Graph Json should be applying the same user restriction as graphs.php when displaying the graphs. If you believe this to be an issue then I would open it on GitHub for us to investigate properly.

[georgek1]

I am pretty sure as I checked the source code and there is no such permission check. I am posting to github.

[netniV]

Thanks for that. With it being a security issue, there should probably be an associated CVE to go with it for people to track.