-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue within the LibreNMS Alert Rule API. The core of the issue lies in the add_edit_rule function in includes/html/api_functions.inc.php. This function, when handling API requests to create or edit alert rules, failed to sanitize the name and notes parameters. As shown in the patch, the fix involves adding strip_tags to these parameters. Without this sanitization, an attacker could send a crafted API request containing a JavaScript payload within the rule name. This malicious name would then be stored in the database. The payload would execute when a user navigates to pages that display alert rules, such as includes/html/print-alert-rules.php or the modal generated by includes/html/modal/alert_rule_list.inc.php. The vulnerability description notes that even though the application used an encoding function (e()) on output, a client-side JavaScript library (bootgrid()) would decode the entities, allowing the script to execute. The primary vulnerable function is add_edit_rule as it is the entry point for the malicious data.
add_edit_ruleincludes/html/api_functions.inc.php
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| librenms/librenms | composer | < 25.12.0 | 25.12.0 |