CVE-2024-51497

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.10.0

Description A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the unit parameter when creating a new OID. This can lead to the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions.

Recommendations For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Custom OID" tab or disabling the ability to create new OIDs until the update can be applied. Avoid using the unit parameter in the affected API endpoint until the issue is resolved.