Main Vulnerability Database Vulnerabilities #VU127454

#VU127454 Cross-site scripting in LibreNMS - CVE-2024-52526

Published: November 15, 2024 / Updated: April 24, 2026

Vulnerability identifier: #VU127454

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-52526

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
LibreNMS

Software vendor:
LibreNMS Project

Description

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/device/services.inc.php when handling the "descr" parameter in the device services editing workflow. A remote privileged user can submit a specially crafted service description to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device's "Services" tab, and the issue does not occur through the normal "Add Service" interface created through the ajax_form.php request with "type=create-service".

Remediation

Install security update from vendor's website.

External links

https://github.com/librenms/librenms/security/advisories/GHSA-8fh4-942r-jf2g

#VU127454 Cross-site scripting in LibreNMS - CVE-2024-52526

Description

Remediation

External links

Please verify you're human