CVE-2024-47524

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.9.0

Description The application fails to properly sanitize user input in the Device Groups name, allowing an attacker to execute malicious JavaScript code when a user views the details of the Device Group. This can be exploited by creating a new Device Group with malicious JavaScript code in its name. For example, using the onerror attribute in an img tag, such as <img src="x" onerror="alert(document.cookie)">, can trigger the execution of the malicious code when the Device Group details are viewed. This issue can impact all users who have access to the detail page of the device group, as anyone can potentially execute malicious JavaScript code.

Recommendations For versions prior to 24.9.0, update to version 24.9.0 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Device Groups feature for non-admin users and avoiding the use of user-inputted data in the Device Groups name until the issue is resolved. Additionally, disabling JavaScript execution in the browser when viewing Device Group details can help mitigate the risk of exploitation.