CVE-2024-49754
LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php
In short
LibreNMS allows authenticated users to inject malicious code into the API token creation page, which gets executed when other users view it. This could let attackers steal session information or perform unauthorized actions on behalf of other users.
Technical detail
Stored XSS vulnerability in the API-Access page (api-access.inc.php) where the 'token' parameter is not properly sanitized during token creation. An authenticated attacker can inject arbitrary JavaScript that persists in the database and executes in the browsers of other users accessing the same page, potentially leading to account compromise and unauthorized operations.
Summary generated and translated by AI from the official description.
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result in the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
Affected products
librenms · librenmsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →