Jellyfrog

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 21.1.0 Description: A second-order SQL injection issue in the Top Devices dashboard widget of LibreNMS allows remote authenticated attackers to execute arbitrary SQL commands via the `sort order` parameter against the "/ajax/form/widget-settings" endpoint. Recommendations: For versions prior to 21.1.0, update to version 21.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ajax/form/widget-settings" endpoint or disabling the `sort order` parameter in the Top Devices dashboard widget until a patch is available.