LibreNMS Stored Cross-Site Scripting Vulnerability in Alert Transports Management

A stored cross-site scripting vulnerability has been identified in LibreNMS versions through 25.8.0, specifically within the Alert Transports management feature. This issue arises because the Transport name field, when populated by an administrator, is saved and later displayed in the Transports column of the Alert Rules page without adequate input validation or output encoding. As a result, this flaw allows for the execution of arbitrary JavaScript in the administrator's browser. The vulnerability has been patched in LibreNMS version 25.10.0.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected Alert Rules page.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the Alert Transports management page. Create a new Alert Transport by entering a payload containing JavaScript into the Transport name field. After saving the transport, go to the Alert Rules page. The injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to LibreNMS version 25.10.0 or later to address this vulnerability.