Cross-site scripting in LibreNMS - CVE-2024-52526

 

Cross-site scripting in LibreNMS - CVE-2024-52526

Published: November 15, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127454
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-52526
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/device/services.inc.php when handling the "descr" parameter in the device services editing workflow. A remote privileged user can submit a specially crafted service description to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device's "Services" tab, and the issue does not occur through the normal "Add Service" interface created through the ajax_form.php request with "type=create-service".


How to mitigate CVE-2024-52526

Install security update from vendor's website.

Sources