CVE-2019-10669

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 1.48

Description A command injection issue exists due to improper filtering of user-supplied parameters in the html/includes/graphs/device/collectd.inc.php file. The mysqli escape real string function is used, which does not escape certain command line syntax characters, such as the backtick (). This allows an attacker to inject commands into the $rrd cmdvariable, which is executed via thepassthru()` function.

Recommendations For LibreNMS versions prior to 1.48, update to version 1.48 or later to resolve the issue. As a temporary workaround, consider restricting access to the collectd.inc.php file to minimize the risk of exploitation. Avoid using the $rrd cmd variable in the affected API endpoint until the issue is resolved.