Cross-site scripting in LibreNMS - CVE-2024-49754

 

Cross-site scripting in LibreNMS - CVE-2024-49754

Published: November 15, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129730
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-49754
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.

The vulnerability exists due to cross-site scripting in api-access.inc.php on the API Access page when creating a new API token with a crafted "token" parameter. A remote privileged user can inject arbitrary JavaScript through the "token" parameter to execute arbitrary JavaScript code in the context of other users' sessions.

User interaction is required when another user visits the API Access page, and the payload is triggered in both the "Token Hash" and "QR Code" columns.


How to mitigate CVE-2024-49754

Install security update from vendor's website.

Sources