Primary

Context

LibreNMS Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in LibreNMS versions prior to 24.11.0. This issue allows remote attackers to inject malicious scripts into the 'Display Name' field of device settings. The injected script is executed when the data is viewed, potentially leading to unauthorized actions or exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts, which could be used to perform unauthorized actions or access sensitive data.

Reproduction

To reproduce this vulnerability, add a new device in LibreNMS and navigate to the 'Device Settings' section. In the 'Display Name' field, enter a script injection payload, such as an image tag with an 'onerror' event. After saving the changes, the injected script will execute when the device logs are viewed and hovered over a relevant tag.

Remediation

Users are advised to upgrade to LibreNMS version 24.12.0 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.3

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.3

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LibreNMS Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

librenms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating