LibreNMS Stored Cross-Site Scripting Vulnerability in Custom OID Functionality

A stored cross-site scripting vulnerability has been identified in LibreNMS versions 24.10.0 prior to 26.1.1. The issue arises in the Custom OID feature, where the 'unit' parameter is not properly sanitized before being saved to the database. Unlike other fields such as 'name', 'oid', and 'datatype', which are sanitized using 'strip_tags()', the 'unit' parameter is left open to injection. This unsanitized data is then rendered without HTML escaping, allowing for the execution of malicious scripts. The vulnerability can be exploited by users with device edit permissions, who can inject XSS payloads that are stored in the database and executed when other users view the device graphs.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content. This could lead to session hijacking, cookie theft, and potentially allow an attacker to take over an admin account, performing malicious actions on behalf of the victim.

Reproduction

To reproduce this vulnerability, a user with device edit permissions can navigate to the Custom OID section and enter a unit value that includes a script tag or other HTML elements. Once saved, the injected script will be executed when the device graphs are viewed.

Remediation

Users can update to LibreNMS version 26.2.0 or later, where this vulnerability has been fixed.