Cross-site scripting in LibreNMS - CVE-2024-47527
Published: October 1, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to cross-site scripting in device-dependencies.inc.php when rendering the Device Dependencies feature with a crafted hostname parameter. A remote privileged user can create a device with a specially crafted hostname to execute arbitrary JavaScript in other users' sessions.
User interaction is required when another user visits the device dependencies page.