![]() This vulnerability has been addressed in commit `489978a923` which has been included in release version 23.11.0. Leveraging this vulnerability a low privilege user can see all devices registered by admin users. This request can be accessed by a low privilege user and they can enumerate devices on librenms with their id or hostname. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to `graph.php` to access graphs generated on the particular Device. LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. There are no known workarounds for this vulnerability. This issue has been addressed in commit `faf66035ea` which has been included in release version 23.11.0. Affected versions are subject to a cross site scripting (XSS) vulnerability in the device group popups. All installations prior to version 0.9.0 are affected. If a user knows an admin username, opens the login screen and attempts to authenticate with an incorrect password they can subsequently enter a valid non-admin username and password they will be logged in as the admin user. Limited users can impersonate another user's account if only single-factor authentication is configured. In affected versions there is a privilege escalation vulnerability through a non-admin user's account. Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |