CVE-2024-49758

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: The application fails to properly sanitize user input, allowing an attacker to execute malicious JavaScript code. This issue occurs when a user with an Admin role adds Notes to a device and the ExamplePlugin is enabled. If JavaScript code is inside the device's Notes, it will be triggered. This could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions, potentially compromising accounts and enabling unauthorized actions.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 or later to resolve the issue. As a temporary workaround, consider disabling the ExamplePlugin until a patch is available. Restrict access to the Notes feature for users with Admin roles to minimize the risk of exploitation. Avoid using the Notes feature in the device settings until the issue is resolved.