CVE-2024-50355

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0

Description: The application fails to properly sanitize user input in the device Display Name, allowing an attacker to execute malicious JavaScript code. This can be triggered from different sources, including the Manage Access page, Alert Rules, Alerts Notifications, Alert History, Event Log, Outages function, and the dashboard. The impact of this issue could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions, potentially compromising user accounts and enabling unauthorized actions.

Recommendations: For versions prior to 24.10.0, update to version 24.10.0 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the device Display Name field for users with Admin roles until the update is applied. Additionally, avoid using JavaScript code in the device Display Name to minimize the risk of exploitation.