PT-2019-11984 · Librenms · Librenms
Published
2019-09-09
·
Updated
2019-10-11
·
CVE-2019-10671
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LibreNMS versions prior to 1.48
Description
The issue allows SQL injection due to insufficient parameterization of user-supplied input within database queries. An authenticated attacker can manipulate these database queries to extract or modify data. For example, the
sort parameter in graph.php is vulnerable.Recommendations
For versions prior to 1.48, update to version 1.48 or later to resolve the issue. As a temporary workaround, consider restricting access to the
graph.php page to minimize the risk of exploitation. Avoid using user-supplied input in database queries until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librenms