CVE-2024-32479
LibreNMS's Improper Sanitization on Service template name leads to Stored XSS
In short
LibreNMS, a network monitoring system, fails to properly clean user input in Service template names, allowing attackers to inject malicious code that gets stored and executed in users' browsers when they view the template.
Technical detail
A stored XSS vulnerability exists in LibreNMS versions prior to 24.4.0 due to insufficient input sanitization on the Service template name parameter. An authenticated attacker can inject malicious JavaScript that persists in the database and executes in the context of other users' browsers, potentially leading to session hijacking or credential theft.
Summary generated and translated by AI from the official description.
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the `Service` template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this vulnerability.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected products
librenms · librenmsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/librenms/librenms/blob/a61c11db7e8ef6a437ab55741658be2be7d14d34/app/Http/Controllers/ServiceTemplateController.php#L67C23-L67C23https://github.com/librenms/librenms/commit/19344f0584d4d6d4526fdf331adc60530e3f685bhttps://github.com/librenms/librenms/security/advisories/GHSA-72m9-7c8x-pmmw