CVE-2019-10671
HIGHLibreNMS < 1.47 - Authenticated SQL Injection via graph.php sort Parameter
Title source: llmDescription
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate data, as demonstrated by the graph.php sort parameter.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.darkmatter.ae/xen1thlabs/librenms-multiple-sql-injection-vulnerability-xl-19-025/
Scores
CVSS v3
8.8
EPSS
0.0135
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
librenms/librenms
< 1.47
librenms/librenms
0 - 1.50.1Packagist
Published
Sep 09, 2019
Tracked Since
Feb 18, 2026