Murrant

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 25.12.0 and below **Description** LibreNMS is a network monitoring tool susceptible to Reflected Cross-Site Scripting (XSS) attacks. The issue occurs through the email field. This impacts versions prior to 26.2.0. **Recommendations** Update to version 26.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 23.10.0 **Description** The issue is related to SQL Injection in the GitHub repository librenms/librenms. **Recommendations** For versions prior to 23.10.0, update to version 23.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 23.9.1 **Description** The issue is related to Cross-site Scripting (XSS) - DOM in the GitHub repository librenms/librenms. This type of attack occurs when an application includes user input in its output without proper validation, allowing an attacker to inject malicious scripts into the website. **Recommendations** For versions prior to 23.9.1, update to version 23.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue is related to Cross-site Scripting (XSS) - Generic in the GitHub repository librenms/librenms. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue concerns deserialization of untrusted data. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which affects the GitHub repository librenms/librenms. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which affects the GitHub repository librenms/librenms. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue allows a user to enable their own account even if it was disabled by an admin, as long as the user still holds a valid session. Additionally, there is a problem with the sanitization of the username in the admin user overview, which enables an XSS attack. This attack allows an attacker with low privilege user access to execute arbitrary JavaScript in the context of an admin's account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue is related to Cross-site Scripting (XSS) - Generic. This is a type of security vulnerability that occurs when an application includes user input in its output without proper validation or encoding, allowing an attacker to inject malicious scripts into the application. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** librenms versions prior to 22.10.0 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which affects the GitHub repository librenms/librenms. **Recommendations** For versions prior to 22.10.0, update to version 22.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions prior to 22.9.0 **Description** The issue is related to Cross-site Scripting (XSS) - Stored, which allows attackers to execute arbitrary JavaScript code. Specifically, the `Title` parameter in the Schedule Maintenance feature is vulnerable. This could potentially affect a significant number of devices worldwide, although an exact estimate is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 22.9.0, update to version 22.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Schedule Maintenance feature or avoiding the use of the `Title` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** LibreNMS version 22.3.0 **Description** A cross-site scripting (XSS) issue was found in LibreNMS. The vulnerability is related to the /Table/GraylogController.php component. **Recommendations** For LibreNMS version 22.3.0, as a temporary workaround, consider restricting access to the `GraylogController.php` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions through 21.10.2 **Description** The issue allows for XSS via a widget title. **Recommendations** For versions through 21.10.2, update to a version later than 21.10.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions prior to 21.3.0 **Description** A stored XSS issue was identified in the API Access page due to insufficient sanitization of the `$api->description` variable, allowing arbitrary Javascript code to be executed. **Recommendations** For versions prior to 21.3.0, update to version 21.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the API Access page until the update is applied.

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 1.48 Description: The issue allows SQL injection via the `sort[hostname]` parameter in the "html/ajax table.php" endpoint, which can be exploited by authenticated users during a search. Recommendations: For versions prior to 1.48, update to version 1.48 or later to resolve the issue.