Sco4X0

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions prior to 24.4.0 **Description** The issue is related to a SQL injection vulnerability. The `order` parameter, obtained from `$request`, is directly incorporated into an SQL statement after a string check, resulting in the vulnerability. This allows an attacker to extract the whole database. The vulnerability exists in the `api functions.php` file, specifically in the `list devices` function. **Recommendations** For versions prior to 24.4.0, update to version 24.4.0 to fix the issue. As a temporary workaround, consider restricting access to the `order` parameter in the API endpoint until a patch is available. Avoid using the `order` parameter in the affected API endpoint until the issue is resolved.