CVE-2022-4068 HIGH

CVE-2022-4068: Improperly Controlled Modification of Dynamically-Determined Object Attributes in librenms/librenms

Vendor Librenms
Product librenms/librenms
Weakness CWE-915
Published November 20, 2022
Last update April 25, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

Key dates

02Disclosure timeline

November 20, 2022 CVE published
April 25, 2025 Record updated

Related vulnerabilities

04Related CVE