CVE-2019-10670

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 1.48

Description An issue in LibreNMS allows unsafe data to be injected into HTML or JavaScript contexts due to ineffective filtering of user-supplied input using the mysqli escape real string function. This can lead to attacker-controlled JavaScript executing in the browser. For example, the string parameter in html/pages/inventory.inc.php is vulnerable.

Recommendations For LibreNMS versions prior to 1.48, update to version 1.48 or later to resolve the issue. As a temporary workaround, consider restricting access to the html/pages/inventory.inc.php page to minimize the risk of exploitation. Avoid using the string parameter in the affected context until the issue is resolved.