CVE-2023-48294: 
PHP vulnerability analysis and mitigation

LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring system, was found to contain a broken access control vulnerability (CVE-2023-48294) in versions prior to 23.11.0. The vulnerability was discovered and disclosed on November 17, 2023, affecting the graph.php functionality which is used to access graphs generated for devices (GitHub Advisory).

The vulnerability exists in the graph.php component where the application fails to properly check access privileges for different user roles. When a user accesses their Device dashboard, a request is sent to graph.php to access device-generated graphs. The vulnerability allows low-privileged users to access this endpoint and enumerate devices on LibreNMS using either device IDs or hostnames. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows low-privileged users to enumerate and view information about all devices registered by admin users in the LibreNMS system. This represents an unauthorized information disclosure that could potentially expose sensitive network infrastructure details (GitHub Advisory).

The vulnerability has been patched in LibreNMS version 23.11.0 through commit 489978a923. Users are advised to upgrade to this version or later. The fix implements proper privilege access control checks to verify if low-privilege users have appropriate access permissions (GitHub Advisory).