Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1nY2dwLXEyanEtZnc1Ms4AA_5z

LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Templates" feature

Summary

A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh.

Details

The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS.

For instance, the following payload can be used to exploit the vulnerability:
test1<script>{onerror=alert}throw 1337</script>

The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template.

Where the variable is being sanitized before being stored in the database:
https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40

Where the vulnerability is happening:
https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205

PoC

1. Navigate to the "Alert Templates" creation page in the LibreNMS interface.
2. In the "Name" field, input the following payload:
   test1<script>{onerror=alert}throw 1337</script>
3. Submit the form to create the alert template.
4. Observe that the JavaScript executes immediately, triggering an alert popup. However, this code does not persist after refreshing the page.

Impact

This is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user's session.

Permalink: https://github.com/advisories/GHSA-gcgp-q2jq-fw52
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2dwLXEyanEtZnc1Ms4AA_5z
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 20 days ago
Updated: 20 days ago

CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-gcgp-q2jq-fw52, CVE-2024-47526
References:

• https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52
• https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5
• https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40
• https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205
• https://nvd.nist.gov/vuln/detail/CVE-2024-47526
• https://github.com/advisories/GHSA-gcgp-q2jq-fw52

Repository: https://github.com/librenms/librenms
Blast Radius: 1.1

Affected Packages