LibreNMS v22.1.0 allows users with the normal role/level to view/access the alert transport details. The alert transport may expose sensitive information to an actor that is not explicitly authorized to have access to that information which are supposedly accessible by the Administrator only.
1 GET http://{HOST}/alert-transports
~
1 Login as normal user.
2 Browse to http://{HOST}/alert-transports
3 We can view/access the alert transport information in details such as Transport Name, host IP, Transport Type, Personal Access Token, API Token etc.
~
This vulnerability is capable of leading to unauthorized sensitive information disclosure of relevant parties.