SB2024100164 - Multiple vulnerabilities in LibreNMS



SB2024100164 - Multiple vulnerabilities in LibreNMS

Published: October 1, 2024 Updated: May 5, 2026

Security Bulletin ID SB2024100164
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2024-47526)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the affected user's browser session.

The vulnerability exists due to improper neutralization of input during web page generation in the Alert Templates feature in librenms/includes/html/modal/alert_template.inc.php when creating an alert template and rendering the newly added template name in the table. A remote privileged user can submit a crafted template name to execute arbitrary JavaScript in the affected user's browser session.

User interaction is required, and the injected script executes immediately upon submission but does not persist after a page refresh.


2) Cross-site scripting (CVE-ID: CVE-2024-47527)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in device-dependencies.inc.php when rendering the Device Dependencies feature with a crafted hostname parameter. A remote privileged user can create a device with a specially crafted hostname to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device dependencies page.


3) Cross-site scripting (CVE-ID: CVE-2024-47523)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in the Alert Transports feature in librenms/includes/html/print-alert-transports.php when creating or viewing alert transports with crafted Details fields. A remote privileged user can submit specially crafted input in fields that are included in the Details section to execute arbitrary JavaScript in other users' sessions.

User interaction is required to load a page containing the stored transport details.


4) Cross-site scripting (CVE-ID: CVE-2024-47525)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.

The vulnerability exists due to cross-site scripting in print-alert-rules.php when creating an alert rule with crafted input in the Title field. A remote privileged user can submit a specially crafted Title value to execute arbitrary JavaScript in the context of other users' sessions.

User interaction is required when another user loads the affected page.


5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2024-47524)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in the browser of users viewing a device group detail page.

The vulnerability exists due to improper neutralization of script-related html tags in the device group name field when rendering device group details. A remote privileged user can create a device group with a crafted name to execute arbitrary script code in the browser of users viewing a device group detail page.

The issue is triggered when the crafted device group detail page is viewed.


6) Arbitrary file upload (CVE-ID: CVE-2024-47528)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to unrestricted upload of file with dangerous type in the custom map background upload feature when uploading an SVG file as a custom map background. A remote user can upload a crafted SVG file containing script payloads to execute arbitrary script code in a victim's browser.

Only users with the admin role can upload the background file, and the issue affects admin users and users with the global read role who can access the uploaded file.


Remediation

Install update from vendor's website.