LibreNMS Stored Cross-Site Scripting Vulnerability in Device Group Management

A stored cross-site scripting vulnerability has been identified in LibreNMS versions through 26.1.1. The issue arises in the device group management feature, where the group name is not properly sanitized. This flaw allows attackers with admin privileges to inject malicious scripts that are executed when the group is accessed. The vulnerability is exploited by creating a device group with a name containing JavaScript, which is then executed when the group is deleted.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log in to LibreNMS as an admin. Navigate to 'Devices' and select 'Manage Groups'. Create a new device group and enter a name that includes a JavaScript payload, such as an image request to an attacker-controlled server. After saving the group, use the delete function, which will trigger the execution of the injected script by sending the payload to the specified server.

Remediation

Users can upgrade to LibreNMS version 26.2.0 to address this vulnerability.