CVE-2024-47526

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40	Product
https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205	Product
https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5	Patch
https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52	Exploit Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*

History

19 Dec 2024, 15:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:librenms:librenms::::::::
First Time		Librenms Librenms librenms
References	~~() https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40 -~~	() https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40 - Product
References	~~() https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205 -~~	() https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205 - Product
References	~~() https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5 -~~	() https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5 - Patch
References	~~() https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52 -~~	() https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52 - Exploit, Product

Information

Published : 2024-10-01 21:15

Updated : 2024-12-19 15:49

NVD link : CVE-2024-47526

Mitre link : CVE-2024-47526

CVE.ORG link : CVE-2024-47526

JSON object : View

Products Affected

librenms

librenms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3.5 /10