Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in LibreNMS - CVE-2024-49758
Published: November 15, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of other users' sessions.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in device notes rendering within ExamplePlugin when rendering device notes in the device overview. A remote privileged user can inject crafted JavaScript into a device's notes to execute arbitrary JavaScript code in the context of other users' sessions.
User interaction is required when a victim visits the affected device overview, and only instances with ExamplePlugin enabled are vulnerable.