Cross-site scripting in LibreNMS - CVE-2024-47523

 

Cross-site scripting in LibreNMS - CVE-2024-47523

Published: October 1, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129738
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-47523
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in the Alert Transports feature in librenms/includes/html/print-alert-transports.php when creating or viewing alert transports with crafted Details fields. A remote privileged user can submit specially crafted input in fields that are included in the Details section to execute arbitrary JavaScript in other users' sessions.

User interaction is required to load a page containing the stored transport details.


How to mitigate CVE-2024-47523

Install security update from vendor's website.

Sources