Cross-site scripting in LibreNMS - CVE-2024-51495
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to improper neutralization of input during web page generation in dev-overview-data.inc.php when rendering the user-supplied "overwrite_ip" value on the device overview page. A remote privileged user can inject a specially crafted "overwrite_ip" parameter while editing a device to execute arbitrary JavaScript in other users' sessions.
User interaction is required when another user visits the device overview page.