CVE-2024-50352

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" section of the Device Overview page allows authenticated users to inject arbitrary JavaScript through the name parameter when adding a service to a device. This could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Services" section of the Device Overview page to minimize the risk of exploitation. Avoid using the name parameter in the affected API endpoint until the issue is resolved.