CVE-2024-51496

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.10.0

Description A Reflected Cross-Site Scripting (XSS) vulnerability in the metric parameter of the "/wireless" and "/health" endpoints allows attackers to inject arbitrary JavaScript, potentially compromising a user's session and allowing unauthorized actions. This occurs due to improper sanitization of the metric parameter. Attackers can execute malicious code when a user accesses the page with a malicious metric parameter.

Recommendations For versions prior to 24.10.0, update to version 24.10.0 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the "/wireless" and "/health" endpoints to minimize the risk of exploitation. Avoid using the metric parameter in these endpoints until the issue is resolved.