CVE-2025-23198

Name of the Vulnerable Software and Affected Versions Librenms versions up to 24.10.1

Description The issue is a stored XSS that affects the parameters of the /device/$DEVICE ID/edit endpoint, specifically the display parameter. This allows remote attackers to inject malicious scripts, which execute when a user views or interacts with the page displaying the data, potentially leading to unauthorized actions or data exposure.

Recommendations For Librenms versions up to 24.10.1, upgrade to release version 24.11.0 to address the issue. As a temporary workaround, consider restricting access to the /device/$DEVICE ID/edit endpoint and avoiding the use of the display parameter until the issue is resolved. Additionally, users can restrict interactions with pages that display data from the vulnerable endpoint to minimize the risk of exploitation.