CVE-2023-48294

🗓️ 17 Nov 2023 21:12:59Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 66 Views🌐 WEB

LibreNMS vulnerability allows low privilege users to enumerate devices and view admin-registered devices

Reporter	Title	Published	Views	Family All 10
CNNVD	LibreNMS Security Vulnerabilities	17 Nov 202300:00	–	cnnvd
Cvelist	CVE-2023-48294 Broken Access control on Graphs Feature in LibreNMS	17 Nov 202321:12	–	cvelist
EUVD	EUVD-2023-2960	3 Oct 202520:07	–	euvd
Github Security Blog	LibreNMS has Broken Access control on Graphs Feature	17 Nov 202321:51	–	github
NVD	CVE-2023-48294	17 Nov 202322:15	–	nvd
OSV	CVE-2023-48294 Broken Access control on Graphs Feature in LibreNMS	17 Nov 202321:12	–	osv
OSV	GHSA-FPQ5-4VWM-78X4 LibreNMS has Broken Access control on Graphs Feature	17 Nov 202321:51	–	osv
Prion	Design/Logic Flaw	17 Nov 202322:15	–	prion
Positive Technologies	PT-2023-30763 · Librenms · Librenms	17 Nov 202300:00	–	ptsecurity
Veracode	Information Disclosure	20 Nov 202306:27	–	veracode

NVD

Vulners

Node

librenms librenmsRange<23.11.0

[
  {
    "vendor": "librenms",
    "product": "librenms",
    "versions": [
      {
        "version": "< 23.11.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4
github	www.github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf
github	www.github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php

Parameter	Position	Path	Description	CWE
id	query param	graph.php	Low-privilege user can access graph.php to enumerate devices by id or hostname and see all devices registered by admin users.	CWE-200
hostname	query param	graph.php	Low-privilege user can access graph.php to enumerate devices by id or hostname and see all devices registered by admin users.	CWE-200

21 Nov 2024 08:31Current

4.5Medium risk

Vulners AI Score4.5

CVSS 3.14.3

EPSS0.00024

CWE-200