CVE-2019-10670: XSS
First published: Mon Sep 09 2019(Updated: )
An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqli_escape_real_string for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these contexts, leading to attacker controlled JavaScript executing in the browser. One example of this is the string parameter in html/pages/inventory.inc.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Librenms Librenms | <=1.47 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2019-10670.
What is the severity of CVE-2019-10670?
The severity of CVE-2019-10670 is medium (6.1).
What is the affected software?
The affected software is LibreNMS version 1.47.
What is the CWE ID of this vulnerability?
The CWE ID of this vulnerability is CWE-89 and CWE-79.
Is there a reference link for more information?
Yes, you can find more information about this vulnerability [here](https://www.darkmatter.ae/xen1thlabs/librenms-multiple-reflected-cross-site-scripting-vulnerability-xl-19-021/).
- collector/nvd-index
- agent/type
- agent/event
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/tags
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- vendor/librenms
- canonical/librenms librenms
- version/librenms librenms/1.47