CVE-2025-65013
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
Description
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The `Image Name` parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. ## Details - **Vulnerable Endpoint:** `GET /maps/nodeimage` - **Parameter:** `Image Name` (reflected in response) - **Vulnerability type:** Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser. - **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting) ## Description The application takes the value of the `Image Name` parameter from a request to `/maps/nodeimage` and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context. ## Proof of Concept (PoC) Construct a request that includes the following payload in the `Image Name` parameter. The payload below should be used exactly as provided: ``` <script>alert('PoC-XXS51')</script> ``` ## Steps to reproduce 1. Authenticate as any user allowed to manage Node Images; 2. Navigate the endpoint '/maps/nodeimage' and click on "New Image". Choose any valide image and, on `Image Name` parameter, insert the payload above . <img width="804" height="408" alt="image" src="https://github.com/user-attachments/assets/e6de8fc5-80a3-4cc3-81c5-2435dec25372" /> 3. Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with `PoC-XXS51` will appear. <img width="713" height="589" alt="image" src="https://github.com/user-attachments/assets/202d602a-5f0b-4c7c-bb89-ffd1280c9e29" /> ## Observed behavior The supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the `Image Name` parameter. ## Impact Reflected XSS can be used to: - Execute arbitrary JavaScript in the context of any user who visits the crafted link. - Steal session cookies or authentication tokens (leading to session hijacking). - Perform actions on behalf of the victim (CSRF-like actions executed via script). - Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim. - Pivot to further attacks depending on application context and user privileges. ## References - CWE-79 — Cross-Site Scripting (XSS). - OWASP XSS Prevention Cheat Sheet.