Miggo Logo

CVE-2024-53457: LibreNMS stored cross-site scripting (XSS) vulnerability in the Device Settings section

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.03474%
Published
12/6/2024
Updated
12/10/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
librenms/librenmscomposer>= 24.9.0, < 24.11.024.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized usage of displayName()/shortDisplayName() outputs in multiple templating contexts. The patch adds htmlentities() and strip_tags() to these locations. High-confidence entries directly map to Display Name XSS vectors described in advisories, while PortsController.ifAlias handling is marked medium confidence as it's a secondary vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-sit* s*riptin* (XSS) vuln*r**ility in t** **vi** S*ttin*s s**tion o* Li*r*NMS v**.*.* to v**.**.* *llows *tt**k*rs to *x**ut* *r*itr*ry w** s*ripts or *TML vi* * *r**t** p*ylo** inj**t** into t** *ispl*y N*m* p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*** o* `*ispl*yN*m*()`/`s*ort*ispl*yN*m*()` outputs in multipl* t*mpl*tin* *ont*xts. T** p*t** ***s `*tml*ntiti*s()` *n* `strip_t**s()` to t**s* lo**tions. *i**-*on*i**n** *ntri*s *ir**tly m*p to *ispl*y N*m
CVE-2024-53457: LibreNMS Device Settings XSS | Miggo