Cross-site scripting in LibreNMS - CVE-2024-50350

 

Cross-site scripting in LibreNMS - CVE-2024-50350

Published: November 15, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129727
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-50350
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to improper neutralization of input during web page generation ('cross-site scripting') in the Port Settings page in librenms/app/Http/Controllers/Table/EditPortsController.php when rendering a Port Group name after it is added to a device. A remote privileged user can create a Port Group with a specially crafted name parameter to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the Port Settings page after the affected Port Group is added to a device.


How to mitigate CVE-2024-50350

Install security update from vendor's website.

Sources