Miggo Logo

CVE-2021-44277: Cross-site Scripting in LibreNMS

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.00093%
Published
12/3/2021
Updated
9/19/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
librenms/librenmscomposer<= 21.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE and advisory explicitly mention alert-log.inc.php as the vulnerable component. The GitHub PR #13554 shows the fix involved sanitizing user input at the source by casting $_POST['min_severity'] to an integer before use in HTML context. Prior to this fix, the unescaped user input was used to build $selected_min_severity variable in HTML output, creating an XSS vector. The vulnerability matches classic XSS patterns where user input is reflected in output without proper encoding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Li*r*NMS **.**.* is *****t** *y is *****t** *y * *ross Sit* S*riptin* (XSS) vuln*r**ility in in*lu**s/*tml/*ommon/*l*rt-lo*.in*.p*p.

Reasoning

T** *V* *n* **visory *xpli*itly m*ntion *l*rt-lo*.in*.p*p *s t** vuln*r**l* *ompon*nt. T** *it*u* PR #***** s*ows t** *ix involv** s*nitizin* us*r input *t t** sour** *y **stin* $_POST['min_s*v*rity'] to *n int***r ***or* us* in *TML *ont*xt. Prior t