SB2023111779 - Multiple vulnerabilities in LibreNMS
Published: November 17, 2023 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2023-48295)
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in DeviceGroupController.php in the device groups deletion feature when rendering unsanitized device group names in a deletion message. A remote user can create a device group with a crafted name to execute arbitrary script code in the victim's browser.
User interaction is required to trigger the malicious script.
2) Information Exposure Through an Error Message (CVE-ID: CVE-2023-48294)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in graph.php when handling graph image requests for device dashboards. A remote user can send a crafted request with a device id or hostname to disclose sensitive information.
The issue can be used to enumerate registered devices by observing whether graph output is returned or an error occurs.
3) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-46745)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper restriction of excessive authentication attempts in the login page authentication handler when processing GET-based authentication requests. A remote attacker can send repeated authentication requests to brute-force user accounts to disclose sensitive information.
One login method uses GET requests for authentication, which may expose submitted credentials in web server logs.
Remediation
Install update from vendor's website.
References
- https://github.com/librenms/librenms/security/advisories/GHSA-8phr-637g-pxrg
- https://github.com/librenms/librenms/blob/63eeeb71722237d1461a37bb6da99fda25e02c91/app/Http/Controllers/DeviceGroupController.php#L173C21-L173C21
- https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4
- https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2
- https://github.com/librenms/librenms/security/advisories/GHSA-rq42-58qf-v3qx