CVE-2021-44277: Cross-site Scripting in LibreNMS
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.00093%
CWE
Published
12/3/2021
Updated
9/19/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
librenms/librenms | composer | <= 21.11.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The CVE and advisory explicitly mention alert-log.inc.php as the vulnerable component. The GitHub PR #13554 shows the fix involved sanitizing user input at the source by casting $_POST['min_severity'] to an integer before use in HTML context. Prior to this fix, the unescaped user input was used to build $selected_min_severity variable in HTML output, creating an XSS vector. The vulnerability matches classic XSS patterns where user input is reflected in output without proper encoding.