CVE-2024-49759

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: A Stored Cross-Site Scripting (XSS) vulnerability in the "Manage User Access" page allows authenticated users to inject arbitrary JavaScript through the bill name parameter when creating a new bill. This can lead to the execution of malicious code when visiting the "Bill Access" dropdown in the user's "Manage Access" page, potentially compromising user sessions and allowing unauthorized actions.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Manage User Access" page and the "Bill Access" dropdown to minimize the risk of exploitation. Avoid using the bill name parameter in the affected page until the issue is resolved.