Information Exposure Through an Error Message in LibreNMS - CVE-2023-48294
Published: November 17, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129749
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-48294
CWE-ID: CWE-209
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
LibreNMS
LibreNMS
Software vendor:
LibreNMS Project
LibreNMS Project
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in graph.php when handling graph image requests for device dashboards. A remote user can send a crafted request with a device id or hostname to disclose sensitive information.
The issue can be used to enumerate registered devices by observing whether graph output is returned or an error occurs.
Remediation
Install security update from vendor's website.