CVE-2024-32480

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.4.0

Description The issue is related to a SQL injection vulnerability. The order parameter, obtained from $request, is directly incorporated into an SQL statement after a string check, resulting in the vulnerability. This allows an attacker to extract the whole database. The vulnerability exists in the api functions.php file, specifically in the list devices function.

Recommendations For versions prior to 24.4.0, update to version 24.4.0 to fix the issue. As a temporary workaround, consider restricting access to the order parameter in the API endpoint until a patch is available. Avoid using the order parameter in the affected API endpoint until the issue is resolved.