LibreNMS Reflected Cross-Site Scripting Vulnerability in Node Image Mapping Endpoint

A reflected cross-site scripting vulnerability has been identified in LibreNMS versions prior to 25.11.0. The issue occurs at the '/maps/nodeimage' endpoint, where the 'Image Name' parameter is reflected in the HTTP response without adequate output encoding or sanitization. This flaw allows an attacker to create a URL that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser. The vulnerability has been patched in LibreNMS version 25.11.0.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user who clicks the crafted link. This could lead to session hijacking by stealing cookies or authentication tokens, performing actions on behalf of the victim, phishing attacks, or further exploitation depending on the application context and user privileges.

Reproduction

To reproduce this vulnerability, authenticate as a user with permission to manage Node Images. Navigate to the '/maps/nodeimage' endpoint and initiate the process to add a new image. In the 'Image Name' parameter, insert a script payload, such as a script tag containing JavaScript code, such as an alert. Once the image is saved, the injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update LibreNMS to version 25.11.0 or later, where this vulnerability has been patched.