SB2025011677 - Multiple vulnerabilities in LibreNMS

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2025-23198)

The vulnerability allows a remote user to execute malicious scripts.

The vulnerability exists due to cross-site scripting in the display name field handling in /device/$DEVICE_ID/edit when rendering stored device display names on application and port-related pages. A remote user can inject a crafted display name value to execute malicious scripts.

User interaction is required to view or interact with a page that displays the stored value.

2) Cross-site scripting (CVE-ID: CVE-2025-23199)

The vulnerability allows a remote user to inject malicious scripts.

The vulnerability exists due to improper neutralization of input during web page generation in the /ajax_form.php endpoint and port description rendering logic when handling the descr parameter in update-ifalias requests and later displaying the stored value. A remote user can submit a specially crafted description value to inject malicious scripts.

User interaction is required when the stored data is viewed or interacted with, including accessing the ports tab or hovering over the modified port field.

3) Cross-site scripting (CVE-ID: CVE-2025-23200)

The vulnerability allows a remote user to inject malicious scripts.

The vulnerability exists due to improper neutralization of input during web page generation in the dynamic_override_config function in functions.inc.php and the misc section page when processing the state parameter in ajax_form.php. A remote user can submit a specially crafted state value to inject malicious scripts.

User interaction is required when a user views or interacts with the page displaying the stored data.

4) Cross-site scripting (CVE-ID: CVE-2025-23201)

The vulnerability allows a remote attacker to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in the /addhost error alert when processing the community parameter. A remote attacker can submit a specially crafted value to execute arbitrary script code in a user's browser.

User interaction is required to view or interact with the page displaying the error message.

Remediation

Install update from vendor's website.

References

• https://github.com/librenms/librenms/security/advisories/GHSA-pm8j-3v64-92cq
• https://github.com/librenms/librenms/security/advisories/GHSA-27vf-3g4f-6jp7
• https://github.com/librenms/librenms
• https://github.com/librenms/librenms/security/advisories/GHSA-c66p-64fj-jmc2
• https://github.com/librenms/librenms/security/advisories/GHSA-g84x-g96g-rcjc
• https://github.com/advisories/GHSA-g84x-g96g-rcjc