A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh.
The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS.
For instance, the following payload can be used to exploit the vulnerability:
test1<script>{onerror=alert}throw 1337</script>
The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template.
Where the variable is being sanitized before being stored in the database: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40
Where the vulnerability is happening: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205
test1<script>{onerror=alert}throw 1337</script>
This is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user's session.