CVE-2024-49754

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: A Stored Cross-Site Scripting (XSS) vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the token parameter when creating a new API token. This can result in the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the API-Access page or disabling the creation of new API tokens until the update is applied. Avoid using the token parameter in the affected API endpoint until the issue is resolved.