CVE-2024-47527

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.9.0

Description A Stored Cross-Site Scripting (XSS) vulnerability in the "Device Dependencies" feature allows authenticated users to inject arbitrary JavaScript through the hostname parameter. This can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. The vulnerability occurs when creating a device within LibreNMS, and an attacker can inject arbitrary JavaScript into the hostname parameter. This malicious script is then executed when another user visits the device dependencies page.

Recommendations For versions prior to 24.9.0, update to version 24.9.0 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the "Device Dependencies" feature to minimize the risk of exploitation. Avoid using the hostname parameter in the affected API endpoint until the issue is resolved.