Cross-site scripting in LibreNMS - CVE-2024-47523
Published: October 1, 2024 / Updated: May 5, 2026
LibreNMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.
The vulnerability exists due to cross-site scripting in the Alert Transports feature in librenms/includes/html/print-alert-transports.php when creating or viewing alert transports with crafted Details fields. A remote privileged user can submit specially crafted input in fields that are included in the Details section to execute arbitrary JavaScript in other users' sessions.
User interaction is required to load a page containing the stored transport details.