LibreNMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in LibreNMS versions prior to 24.11.0. The issue resides in the '/device/$DEVICE_ID/edit' endpoint, specifically within the 'display' parameter. This vulnerability allows remote attackers to inject malicious scripts that are executed when users view or interact with the affected page, potentially leading to unauthorized actions or data exposure.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user viewing the affected page, which could lead to unauthorized actions or exposure of sensitive information.

Reproduction

To reproduce this vulnerability, add a new device through the LibreNMS interface. Then, edit the device by navigating to the 'Device Settings' section. In the 'Display Name' field, enter a script payload, such as a script tag including an alert command. After saving the changes, the injected script will execute when accessing the '/apps' path, if an application was previously added. This vulnerability can also be reproduced by injecting a script payload into the 'Display Name' field and then accessing the '/device/$DEVICE_ID/ports/arp' path, where the payload executes when hovering over the modified 'Port' field value.

Remediation

Users are advised to upgrade to LibreNMS version 24.11.0 or later.