GHSA-j8cq-7f6p-256x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j8cq-7f6p-256x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-j8cq-7f6p-256x/GHSA-j8cq-7f6p-256x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j8cq-7f6p-256x
- Aliases
- Published
- 2025-11-18T18:21:28Z
- Modified
- 2025-11-20T10:31:28.903507Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
- Details
-
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the
/maps/nodeimageendpoint. TheImage Nameparameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser.Details
Vulnerable Endpoint:
GET /maps/nodeimageParameter:
Image Name(reflected in response)Vulnerability type: Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser.
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Description
The application takes the value of the
Image Nameparameter from a request to/maps/nodeimageand includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context.Proof of Concept (PoC)
Construct a request that includes the following payload in the
Image Nameparameter. The payload below should be used exactly as provided:<script>alert('PoC-XXS51')</script>Steps to reproduce
Authenticate as any user allowed to manage Node Images;
Navigate the endpoint '/maps/nodeimage' and click on "New Image". Choose any valide image and, on
Image Nameparameter, insert the payload above .
<img width="804" height="408" alt="image" src="https://github.com/user-attachments/assets/e6de8fc5-80a3-4cc3-81c5-2435dec25372" />
- Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with
PoC-XXS51will appear.
<img width="713" height="589" alt="image" src="https://github.com/user-attachments/assets/202d602a-5f0b-4c7c-bb89-ffd1280c9e29" />
Observed behavior
The supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the
Image Nameparameter.Impact
Reflected XSS can be used to:
Execute arbitrary JavaScript in the context of any user who visits the crafted link.
Steal session cookies or authentication tokens (leading to session hijacking).
Perform actions on behalf of the victim (CSRF-like actions executed via script).
Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim.
Pivot to further attacks depending on application context and user privileges.
References
CWE-79 — Cross-Site Scripting (XSS).
OWASP XSS Prevention Cheat Sheet.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2025-11-18T23:15:56Z", "github_reviewed_at": "2025-11-18T18:21:28Z" }- References
Affected packages
Packagist / librenms/librenms
Package
- Name
- librenms/librenms
- Purl
- pkg:composer/librenms/librenms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed25.11.0