Page 9 of 59 results (0.003 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

In LibreNMS < 21.3.0, a stored XSS vulnerability was identified in the API Access page due to insufficient sanitization of the $api->description variable. As a result, arbitrary Javascript code can get executed. En LibreNMS versiones anteriores a 21.3.0, se ha identificado una vulnerabilidad de tipo XSS almacenada en la página de acceso a la API debido a un saneo insuficiente de la variable $api-)description. Como resultado, puede ser ejecutado código Javascript arbitrario • https://community.librenms.org/t/vulnerability-report-cross-site-scripting-xss-in-the-api-access-page/15431 https://github.com/librenms/librenms https://github.com/librenms/librenms/pull/12739 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint. Un problema de inyección SQL de segundo orden en el archivo Widgets/TopDevicesController.php (también se conoce como el widget de tablero Top Devices) de LibreNMS versiones anteriores a 21.1.0, permite a atacantes remotos autenticados ejecutar comandos SQL arbitrarios por medio del parámetro sort_order contra el endpoint /ajax/form/widget-settings • https://github.com/librenms/librenms/blob/master/app/Http/Controllers/Widgets/TopDevicesController.php https://github.com/librenms/librenms/issues/12405 https://github.com/librenms/librenms/pull/12422 https://github.com/librenms/librenms/releases/tag/21.1.0 https://www.horizon3.ai/disclosures/librenms-second-order-sqli • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in LibreNMS before 1.65.1. It has insufficient access control for normal users because of "'guard' => 'admin'" instead of "'middleware' => ['can:admin']" in routes/web.php. Se detectó un problema en LibreNMS versiones anteriores a 1.65.1. Presenta un control de acceso insuficiente para usuarios normales debido a "'guard' =) 'admin'" en lugar de "'middleware' =) ['can:admin']" en el archivo routes/web.php • https://community.librenms.org/c/announcements https://github.com/librenms/librenms/commit/e5bb6d80bc308fc56b9a01ffb76c34159995353c https://github.com/librenms/librenms/compare/1.65...1.65.1 https://github.com/librenms/librenms/pull/11915 https://github.com/librenms/librenms/releases/tag/1.65.1 https://shielder.it/blog •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php. En LibreNMS versiones anteriores a 1.65.1, un atacante autenticado puede lograr una inyección SQL por medio del parámetro POST del archivo customoid.inc.php device_id en el archivo ajax_form.php • https://community.librenms.org/c/announcements https://github.com/librenms/librenms/commit/8f3a29cde5bbd8608f9b42923a7d7e2598bcac4e https://github.com/librenms/librenms/compare/1.65...1.65.1 https://github.com/librenms/librenms/pull/11923 https://research.loginsoft.com/bugs/blind-sql-injection-in-librenms • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php. Se descubrió un problema en LibreNMS versiones hasta 1.47. • https://www.darkmatter.ae/xen1thlabs/librenms-multiple-reflected-cross-site-scripting-vulnerability-xl-19-021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •