CVE-2024-52526

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.10.0

Description A Stored Cross-Site Scripting (XSS) vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the descr parameter when adding a service to a device. This could result in the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and enabling unauthorized actions. The vulnerability is exploited by injecting an XSS payload in the descr parameter, which is reflected in the "Services" tab of the device. The root cause is the application's failure to sanitize the descr parameter before outputting it in the HTML.

Recommendations For versions prior to 24.10.0, update to version 24.10.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the "Services" tab of the Device page or disabling the ability to add services to devices until the update is applied. Avoid using the descr parameter in the affected API endpoint until the issue is resolved.