CVE-2024-56144: LibreNMS Display Name 2 Stored Cross-site Scripting vulnerability
(updated
)
StoredXSS-LibreNMS-Display Name 2
Description:
XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display
of Librenms versions 24.11.0 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
Proof of Concept:
Add a new device through the LibreNMS interface.
Edit the newly created device by going to the “Device Settings” section.
In the “Display Name” field, enter the following payload: "><img src onerror="alert(document.cookie)">.Click to open external image
Save the changes.
The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type containing a tag (such as Core 1 in the image).Click to open external image
Detect and mitigate CVE-2024-56144 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects
contain no disclosed vulnerabilities.
Learn more about Dependency Scanning →