CVE-2024-51495

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.10.0

Description A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the overwrite ip parameter when editing a device. This results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. The vulnerability occurs when editing a device, and an attacker can inject arbitrary JavaScript into the overwrite ip parameter. The malicious script is then executed in the "Assigned IP" field when the device overview page is loaded.

Recommendations For versions prior to 24.10.0, update to version 24.10.0 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the Device Overview page or disabling the editing of devices to minimize the risk of exploitation. Avoid using the overwrite ip parameter in the affected API endpoint until the issue is resolved.