LibreNMS Stored Cross-Site Scripting Vulnerability in Alert Templates

A stored Cross-Site Scripting (XSS) vulnerability has been identified in LibreNMS versions through 25.6.0, specifically within the Alert Template creation feature. This vulnerability allows users with admin roles to inject malicious JavaScript that is executed when the template is rendered, potentially compromising other admin accounts. The issue arises because the 'Template name' field does not properly sanitize input, allowing scripts to be saved and executed later.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user viewing the template. This could lead to session hijacking, data theft, or other malicious actions targeting admin users.

Reproduction

To reproduce this vulnerability, log into LibreNMS with an admin account. Navigate to the Alert Templates page and click 'Create new alert template'. In the 'Template name' field, enter a script payload, such as a script tag including JavaScript code, such as an alert of the document cookie. Fill the other fields with arbitrary content and save the template. The injected script will execute, confirming the XSS vulnerability.

Remediation

Users can upgrade to LibreNMS version 25.8.0 or later, where this vulnerability has been fixed.