SQL Injection: Hibernate in LibreNMS - CVE-2024-32480
Published: April 20, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to extract the database.
The vulnerability exists due to SQL injection in the list_devices function in api_functions.php when handling the order parameter in API requests. A remote privileged user can send a specially crafted API request to extract the database.
Exploitation requires a valid API token with access to API functions.