CVE-2024-47528

Summary

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability is fixed in 24.9.0.

Affected Software

VendorProductVersion RangeStatus
librenmslibrenms< 24.9.0affected

Weaknesses

  • CWE-116: CWE-116: Improper Encoding or Escaping of Output
  • CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References