Cross-site scripting in LibreNMS - CVE-2024-49764
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser session.
The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/device/capture.inc.php when rendering the "Capture Debug Information" page using a device hostname value. A remote privileged user can create a device with a specially crafted hostname parameter to execute arbitrary JavaScript in another user's browser session.
User interaction is required when the "Capture Debug Information" page for the device is visited, and non-httponly cookies may be exposed to an attacker-controlled domain.