Headline
GHSA-72m9-7c8x-pmmw: LibreNMS uses Improper Sanitization on Service template name leads to Stored XSS
Summary
There is improper sanitization on Service template name which is reflecting in delete button onclick event. This value can be modified and crafted as any other javascript code.
Vulnerable Code
https://github.com/librenms/librenms/blob/a61c11db7e8ef6a437ab55741658be2be7d14d34/app/Http/Controllers/ServiceTemplateController.php#L67C23-L67C23
Above is vulnerable code line which needs to be properly sanitized
PoC
- Go to /services/templates
- Enter name as
testing', '14', 'http://172.105.62.194:8000/services/templates/14');alert(1);// - Submit it and try to delete it, you will see popup
If you inspect element on delete button, you will notice this:- <img width="748" alt="Screenshot 2023-11-23 at 9 30 24 PM" src="https://user-images.githubusercontent.com/31764504/285260018-7672a93d-e29b-4444-8057-e6ffcb8dabfc.png">
Impact
Cross site scripting can lead to cookie stealing or an attacker can execute any other feature using this feature.
Navigation Menu
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-32479
LibreNMS uses Improper Sanitization on Service template name leads to Stored XSS
High severity GitHub Reviewed Published Apr 20, 2024 in librenms/librenms • Updated Apr 22, 2024
Package
composer librenms/librenms (Composer)
Affected versions
< 24.4.0
Description
Published to the GitHub Advisory Database
Apr 22, 2024
Last updated
Apr 22, 2024