GHSA-pm8j-3v64-92cq: LibreNMS Display Name Stored Cross-site Scripting vulnerability
Description:
XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display
of Librenms versions 24.9.0, 24.10.0, and 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
Proof of Concept:
Add a new device through the LibreNMS interface.
Edit the newly created device by going to the “Device Settings” section.
In the “Display Name” field, enter the following payload: "><script>alert(1)</script>.Click to open external image
Save the changes.
The XSS payload triggers when accessing the “/apps” path (if an application was previously added).Click to open external image
Additional PoC:
In the “Display Name” field, enter the following payload: "><img src onerror="alert(1)">.Click to open external image
The XSS vulnerability is triggered when accessing the “/ports” path, and the payload executes when hovering over the modified value in the “Port” field.Click to open external image
Detect and mitigate GHSA-pm8j-3v64-92cq with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects
contain no disclosed vulnerabilities.
Learn more about Dependency Scanning →