CVE-2024-50351

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: A Reflected Cross-Site Scripting (XSS) vulnerability in the section parameter of the logs tab of a device allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code when a user accesses the page with a malicious section parameter, potentially compromising their session and enabling unauthorized actions. The issue arises from a lack of sanitization in the report this() function. The vulnerability allows attackers to execute arbitrary JavaScript in the context of a user’s session by crafting a malicious URL, which could lead to session hijacking, unauthorized actions, or further exploitation by injecting malicious scripts.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the logs tab or disabling the report this() function until a patch is available. Avoid using the section parameter in the affected API endpoint until the issue is resolved.