Description
I have created a user with no group membership. Graph permission default is DENY and I have selected all graphs Restricted instead of 1. I have device params default DENY and only set to specific one. Template perm is set to DENY. Tree Perms is also default DENY and I set to access only a specific one. When I login with that user I see only one option in tree and when I click on the device I see the graph. Everything is fine. But if I take the url
domain.com/graph_json.php?rra_id=0&local_graph_id=3205&graph_start=1569069730&graph_end=1569156130&graph_height=120&graph_width=500
and change the local_graph_id with another value ie 5312 I get a response and inside that response I see the image which is base64. If I decode and create png I can see the other graph that I dont have permission to see.
I tried to update to latest cacti 1.2.6 and it still get that security issue. I also checked the source code carefully and I don't see any permission check regarding graphs. For example I see permission check for tree node creation but not for graphs.