CVE-2023-48295

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 23.11.0

Description The issue is a cross-site scripting (XSS) vulnerability in the device group popups. This occurs when the application does not properly sanitize inputs, allowing an attacker to execute malicious JavaScript code. The vulnerability can be exploited by creating a device group with a malicious name, such as "><img src=x onerror=alert(1);>, and then deleting the device group, which triggers the XSS payload. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited.

Recommendations For LibreNMS versions prior to 23.11.0, upgrade to release version 23.11.0 or later to address the vulnerability. As a temporary workaround, consider restricting access to the device group popups until the issue is resolved. Avoid using unsanitized input in the device group names to minimize the risk of exploitation.