CVE-2024-56144

Name of the Vulnerable Software and Affected Versions Librenms versions up to 24.11.0

Description The issue concerns a stored XSS vulnerability in the parameters of the /device/$DEVICE ID/edit endpoint, specifically the display parameter. This allows remote attackers to inject malicious scripts, which execute when a user views or interacts with the page displaying the data. The vulnerability can lead to potential unauthorized actions or data exposure.

Recommendations For Librenms versions up to 24.11.0, upgrade to release version 24.12.0 to address the issue. As a temporary workaround, consider restricting access to the /device/$DEVICE ID/edit endpoint and the display parameter to minimize the risk of exploitation. Avoid using the display parameter in the affected API endpoint until the issue is resolved.