Librenms: >> Librenms >> 1.24 Security Vulnerabilities
Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms prior to 22.2.0.
CVSS Score
5.4
EPSS Score
0.0
Published
2022-02-14
Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms prior to 22.1.0.
CVSS Score
5.4
EPSS Score
0.0
Published
2022-02-14
LibreNMS through 21.10.2 allows XSS via a widget title.
CVSS Score
6.1
EPSS Score
0.0
Published
2021-11-03
In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed.
CVSS Score
5.4
EPSS Score
0.0
Published
2021-09-08
A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint.
CVSS Score
8.8
EPSS Score
0.0
Published
2021-02-08
In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
CVSS Score
6.5
EPSS Score
0.077
Published
2020-07-21
An issue was discovered in LibreNMS before 1.65.1. It has insufficient access control for normal users because of "'guard' => 'admin'" instead of "'middleware' => ['can:admin']" in routes/web.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-07-21
An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php.
CVSS Score
6.1
EPSS Score
0.0
Published
2019-09-09
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate data, as demonstrated by the graph.php sort parameter.
CVSS Score
8.8
EPSS Score
0.0
Published
2019-09-09
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.
CVSS Score
8.1
EPSS Score
0.0
Published
2019-09-09