CVE-2023-48294

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 23.11.0

Description The issue allows a low-privilege user to enumerate devices on LibreNMS with their id or hostname by accessing a request sent to graph.php when they access their device dashboard. This enables the low-privilege user to see all devices registered by admin users.

Recommendations For versions prior to 23.11.0, upgrade to release version 23.11.0 or later to address the vulnerability. As a temporary workaround, consider implementing privilege access control features to check if low-privilege users have access to specific devices or not. Restrict access to the graph.php endpoint to minimize the risk of exploitation. Avoid using the device parameter in the affected API endpoint until the issue is resolved.