Cross-site scripting in LibreNMS - CVE-2024-51494
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in the Port Settings page in librenms/app/Http/Controllers/Table/EditPortsController.php when rendering the user-supplied "descr" parameter while editing a device's port settings. A remote privileged user can submit a specially crafted descr value to execute arbitrary JavaScript in the context of other users' sessions.
User interaction is required when the "Port Settings" page is visited.