Cross-site scripting in LibreNMS - CVE-2024-51497

 

Cross-site scripting in LibreNMS - CVE-2024-51497

Published: November 15, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129732
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-51497
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users' sessions.

The vulnerability exists due to cross-site scripting in librenms/includes/html/print-customoid.php when rendering the "unit" parameter in the "Custom OID" tab. A remote privileged user can submit a specially crafted value in the "unit" parameter when creating a new OID to execute arbitrary JavaScript in the context of other users' sessions.

User interaction is required when another user visits the "Custom OID" tab of the device.


How to mitigate CVE-2024-51497

Install security update from vendor's website.

Sources