3.5
CWE
79
Advisory Published
Advisory Published
Updated

CVE-2024-47526: LibreNMS has a Self-XSS ('Cross-site Scripting') in librenms/includes/html/modal/alert_template.inc.php

First published: Tue Oct 01 2024(Updated: )

### Summary A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh. ### Details The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS. For instance, the following payload can be used to exploit the vulnerability: ```test1<script>{onerror=alert}throw 1337</script>``` The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template. Where the variable is being sanitized before being stored in the database: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40 Where the vulnerability is happening: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205 ### PoC 1. Navigate to the "Alert Templates" creation page in the LibreNMS interface. 2. In the "Name" field, input the following payload: ```test1<script>{onerror=alert}throw 1337</script>``` 3. Submit the form to create the alert template. 4. Observe that the JavaScript executes immediately, triggering an alert popup. However, this code does not persist after refreshing the page. ### Impact This is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user's session.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/librenms/librenms<24.9.0
24.9.0
Librenms Librenms<24.9.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203