SB20241115152 - Multiple vulnerabilities in LibreNMS
Published: November 15, 2024 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2024-51495)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to improper neutralization of input during web page generation in dev-overview-data.inc.php when rendering the user-supplied "overwrite_ip" value on the device overview page. A remote privileged user can inject a specially crafted "overwrite_ip" parameter while editing a device to execute arbitrary JavaScript in other users' sessions.
User interaction is required when another user visits the device overview page.
2) Cross-site scripting (CVE-ID: CVE-2024-50350)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to improper neutralization of input during web page generation ('cross-site scripting') in the Port Settings page in librenms/app/Http/Controllers/Table/EditPortsController.php when rendering a Port Group name after it is added to a device. A remote privileged user can create a Port Group with a specially crafted name parameter to execute arbitrary JavaScript in other users' sessions.
User interaction is required when another user visits the Port Settings page after the affected Port Group is added to a device.
3) Cross-site scripting (CVE-ID: CVE-2024-51494)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in the Port Settings page in librenms/app/Http/Controllers/Table/EditPortsController.php when rendering the user-supplied "descr" parameter while editing a device's port settings. A remote privileged user can submit a specially crafted descr value to execute arbitrary JavaScript in the context of other users' sessions.
User interaction is required when the "Port Settings" page is visited.
4) Cross-site scripting (CVE-ID: CVE-2024-49764)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser session.
The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/device/capture.inc.php when rendering the "Capture Debug Information" page using a device hostname value. A remote privileged user can create a device with a specially crafted hostname parameter to execute arbitrary JavaScript in another user's browser session.
User interaction is required when the "Capture Debug Information" page for the device is visited, and non-httponly cookies may be exposed to an attacker-controlled domain.
5) Cross-site scripting (CVE-ID: CVE-2024-49754)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in api-access.inc.php on the API Access page when creating a new API token with a crafted "token" parameter. A remote privileged user can inject arbitrary JavaScript through the "token" parameter to execute arbitrary JavaScript code in the context of other users' sessions.
User interaction is required when another user visits the API Access page, and the payload is triggered in both the "Token Hash" and "QR Code" columns.
6) Cross-site scripting (CVE-ID: CVE-2024-51497)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in librenms/includes/html/print-customoid.php when rendering the "unit" parameter in the "Custom OID" tab. A remote privileged user can submit a specially crafted value in the "unit" parameter when creating a new OID to execute arbitrary JavaScript in the context of other users' sessions.
User interaction is required when another user visits the "Custom OID" tab of the device.
7) Cross-site scripting (CVE-ID: CVE-2024-49759)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's session.
The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/edituser.inc.php when rendering the "Bill Access" dropdown with a user-controlled bill_name value. A remote privileged user can create or update a bill with a specially crafted bill_name parameter to execute arbitrary JavaScript in another user's session.
User interaction is required when a victim visits the "Manage Access" page and the payload is triggered from the "Bill Access" dropdown.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in device notes rendering within ExamplePlugin when rendering device notes in the device overview. A remote privileged user can inject crafted JavaScript into a device's notes to execute arbitrary JavaScript code in the context of other users' sessions.
User interaction is required when a victim visits the affected device overview, and only instances with ExamplePlugin enabled are vulnerable.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.
The vulnerability exists due to improper neutralization of script-related HTML tags in device display name handling when rendering user-supplied display names across multiple endpoints. A remote privileged user can store a crafted device display name to execute arbitrary JavaScript code in the context of other users' sessions.
The injected script can be triggered from multiple interface locations, including alert-related views, event logs, dashboards, and the availability map.
Remediation
Install update from vendor's website.
References
- https://github.com/librenms/librenms/security/advisories/GHSA-p66q-ppwr-q5j8
- https://github.com/librenms/librenms/commit/7f2ae971c4a565b0d7345fa78b4211409f96800a
- https://github.com/librenms/librenms/security/advisories/GHSA-xh4g-c9p6-5jxg
- https://github.com/librenms/librenms/security/advisories/GHSA-7663-37rg-c377
- https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68
- https://github.com/librenms/librenms/security/advisories/GHSA-gfwr-xqmj-j27v
- https://github.com/librenms/librenms/security/advisories/GHSA-gv4m-f6fx-859x
- https://github.com/librenms/librenms/security/advisories/GHSA-888j-pjqh-fx58
- https://github.com/librenms/librenms/security/advisories/GHSA-c86q-rj37-8f85
- https://github.com/librenms/librenms/security/advisories/GHSA-4m5r-w2rq-q54q