Description:
Stored XSS on the parameter: ajax_form.php
-> param: state
Request:
POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>
type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)">
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
The vulnerability in the line:
$attrib_val = get_dev_attrib($device, $name);
within the dynamic_override_config
function arises because the value of $attrib_val is
retrieved from untrusted data without any sanitization or encoding (at Line 778).
When dynamic_override_config
is called, the unescaped $attrib_val
is injected directly into the HTML (at misc.inc.php).
Proof of Concept:
1. Add a new device through the LibreNMS interface.
2. Edit the newly created device and select the Misc section.
3. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">
.
4. Save the changes.
5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.
Impact:
Execution of Malicious Code
{ "github_reviewed_at": "2025-01-16T17:32:55Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2025-01-16T23:15:08Z", "cwe_ids": [ "CWE-79" ] }