Cross-site scripting in LibreNMS - CVE-2024-51497
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.
The vulnerability exists due to cross-site scripting in librenms/includes/html/print-customoid.php when rendering the "unit" parameter in the "Custom OID" tab. A remote privileged user can submit a specially crafted value in the "unit" parameter when creating a new OID to execute arbitrary JavaScript in the context of other users' sessions.
User interaction is required when another user visits the "Custom OID" tab of the device.