Cross-site scripting in LibreNMS - CVE-2024-50352

 

Cross-site scripting in LibreNMS - CVE-2024-50352

Published: November 15, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127455
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-50352
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to improper neutralization of input during web page generation in the Services section of the Device Overview page when processing the "name" parameter during the device edit services workflow. A remote privileged user can submit a specially crafted service name to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device overview page, and the issue does not occur through the normal "Add Service" interface.


How to mitigate CVE-2024-50352

Install security update from vendor's website.

Sources