Cross-site scripting in LibreNMS - CVE-2024-50350
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to improper neutralization of input during web page generation ('cross-site scripting') in the Port Settings page in librenms/app/Http/Controllers/Table/EditPortsController.php when rendering a Port Group name after it is added to a device. A remote privileged user can create a Port Group with a specially crafted name parameter to execute arbitrary JavaScript in other users' sessions.
User interaction is required when another user visits the Port Settings page after the affected Port Group is added to a device.