CVE-2024-47528

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.9.0

Description Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, allowing the upload of SVG files that can contain XSS payloads, which will trigger on load. This leads to Stored Cross-Site Scripting (XSS). The issue affects admin role users and global read role users, as normal users do not have permission to read the file.

Recommendations For versions prior to 24.9.0, update to version 24.9.0 to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files for custom map backgrounds or limiting the "admin" role's ability to set backgrounds until the update is applied. Avoid using the API endpoint "/maps/custom/1/background" for uploading SVG files until the issue is resolved.