Cross-site scripting in LibreNMS - CVE-2024-47526

 

Cross-site scripting in LibreNMS - CVE-2024-47526

Published: October 1, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129736
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-47526
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the affected user's browser session.

The vulnerability exists due to improper neutralization of input during web page generation in the Alert Templates feature in librenms/includes/html/modal/alert_template.inc.php when creating an alert template and rendering the newly added template name in the table. A remote privileged user can submit a crafted template name to execute arbitrary JavaScript in the affected user's browser session.

User interaction is required, and the injected script executes immediately upon submission but does not persist after a page refresh.


How to mitigate CVE-2024-47526

Install security update from vendor's website.

Sources