LibreNMS Stored Cross-Site Scripting Vulnerability in Port Group Management

A stored cross-site scripting vulnerability has been identified in LibreNMS versions through 26.1.1. The issue arises in the port group management feature, where the name of a newly created port group is not properly sanitized before being displayed. This flaw allows authenticated users with admin privileges to inject malicious scripts that are executed when the port group is accessed. The vulnerability is triggered by sending an HTTP POST request to the '/port-groups' endpoint with a crafted name parameter. The injected script is then executed when the corresponding port group is deleted, potentially leading to cookie theft or other malicious actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into LibreNMS with admin privileges and navigate to the 'Ports' management section. Create a new port group and enter a name that includes JavaScript payload, such as an image tag pointing to an attacker-controlled server. After saving the port group, click the delete icon for the newly created group. The JavaScript payload will execute, sending the user's cookies to the specified server.

Remediation

Users can upgrade to LibreNMS version 26.2.0 to address this vulnerability.