Arbitrary file upload in LibreNMS - CVE-2024-47528

 

Arbitrary file upload in LibreNMS - CVE-2024-47528

Published: October 1, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129741
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-47528
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LibreNMS Project
Affected software:
LibreNMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to unrestricted upload of file with dangerous type in the custom map background upload feature when uploading an SVG file as a custom map background. A remote user can upload a crafted SVG file containing script payloads to execute arbitrary script code in a victim's browser.

Only users with the admin role can upload the background file, and the issue affects admin users and users with the global read role who can access the uploaded file.


How to mitigate CVE-2024-47528

Install security update from vendor's website.

Sources