Cacti Password Hacking

I have found one password hacking trick which can be used for cacti to
change any user password including admin.

http://xxx.xxx.xxx.xxx/auth_changepassword.php?ref=index.php&action=changepassword&username=admin&password=aaaaaa&confirm=aaaaaa&submit=Save

xxx.xxx.xxx.xxx - ip of cacti server.

This url will provide option to change the password of admin user. if
the same is happening with your cacti also kindly block
auth_changepassword.php file from accessing through web.