CVE-2020-35700

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 21.1.0

Description: A second-order SQL injection issue in the Top Devices dashboard widget of LibreNMS allows remote authenticated attackers to execute arbitrary SQL commands via the sort order parameter against the "/ajax/form/widget-settings" endpoint.

Recommendations: For versions prior to 21.1.0, update to version 21.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ajax/form/widget-settings" endpoint or disabling the sort order parameter in the Top Devices dashboard widget until a patch is available.