Cross-site scripting in LibreNMS - CVE-2024-49754
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in api-access.inc.php on the API Access page when creating a new API token with a crafted "token" parameter. A remote privileged user can inject arbitrary JavaScript through the "token" parameter to execute arbitrary JavaScript code in the context of other users' sessions.
User interaction is required when another user visits the API Access page, and the payload is triggered in both the "Token Hash" and "QR Code" columns.