CVE-2024-32461

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.4.0

Description A SQL injection vulnerability in the POST /search/search=packages endpoint in LibreNMS allows a user with global read privileges to execute SQL commands via the package parameter. This vulnerability can be exploited to extract all data from the database, including administrator credentials.

Recommendations For versions prior to 24.4.0, update to version 24.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /search/search=packages endpoint until a patch is applied. Avoid using the package parameter in the affected API endpoint until the issue is resolved.