Librenms · Librenms · CVE-2024-32461
**Name of the Vulnerable Software and Affected Versions**
LibreNMS versions prior to 24.4.0
**Description**
A SQL injection vulnerability in the POST /search/search=packages endpoint in LibreNMS allows a user with global read privileges to execute SQL commands via the `package` parameter. This vulnerability can be exploited to extract all data from the database, including administrator credentials.
**Recommendations**
For versions prior to 24.4.0, update to version 24.4.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the `/search/search=packages` endpoint until a patch is applied.
Avoid using the `package` parameter in the affected API endpoint until the issue is resolved.