Awoffsec

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 26.1.1 and below **Description** LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a Stored Cross-Site Scripting (XSS) issue. The device group name is not sanitized, allowing attackers with admin privileges to inject malicious scripts. The vulnerability occurs when adding a device group via an HTTP POST request to the '/device-groups' endpoint, where the attacker-controlled input is stored in the `name` parameter. This unsanitized input is then displayed, potentially executing the injected script when a user interacts with the device group entry, such as clicking the Delete button. The issue is present because the device's name is used in the Delete button functionality without proper sanitization for XSS-related characters or strings. A proof-of-concept demonstrates that an attacker can leak a user's cookies by crafting a malicious payload and sending an HTTP request to an attacker-controlled server. **Recommendations** Update to version 26.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 26.1.1 and below **Description** LibreNMS is a network monitoring tool. A stored cross-site scripting (XSS) issue exists due to insufficient sanitization of the port group name. An attacker with administrator privileges can inject malicious code through the `name` parameter in an HTTP POST request to the `/port-groups` API endpoint. The unsanitized input is then displayed, potentially executing the injected script when the delete button is rendered. The vulnerable parameter is `name`. The issue occurs when creating a new port group. **Recommendations** LibreNMS versions 26.1.1 and below should be updated to version 26.2.0 or later.