First published: Fri Nov 17 2023(Updated: )
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to `graph.php` to access graphs generated on the particular Device. This request can be accessed by a low privilege user and they can enumerate devices on librenms with their id or hostname. Leveraging this vulnerability a low privilege user can see all devices registered by admin users. This vulnerability has been addressed in commit `489978a923` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/librenms/librenms | <23.11.0 | 23.11.0 |
Librenms Librenms | <23.11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-48294 is medium with a CVSS score of 4.3.
The broken access control vulnerability in LibreNMS allows unauthorized users to access any feature of the application.
LibreNMS version 23.11.0 and earlier are affected by CVE-2023-48294.
To fix the broken access control vulnerability in LibreNMS, update to version 23.11.0 or later.
The Common Weakness Enumeration (CWE) ID for CVE-2023-48294 is CWE-200.