CVE-2024-47523 HIGH

CVE-2024-47523: LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Transports" feature

Vendor Librenms

Product librenms

Weakness CWE-79 · XSS

Published October 1, 2024

Last update October 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Transports" feature allows authenticated users to inject arbitrary JavaScript through the "Details" section (which contains multiple fields depending on which transport is selected at that moment). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. This vulnerability is fixed in 24.9.0.

Key dates

02Disclosure timeline

October 1, 2024 CVE published

October 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-47523 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-23889 Cross-Site Scripting (XSS) vulnerability in Cups Easy CVE-2024-13901 Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site <= 2.0.6 - Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting CVE-2023-33991 Stored Cross-Site Scripting (Stored XSS) vulnerability in SAP UI5 Variant Management CVE-2022-4619 Sidebar Widgets by CodeLights <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-11945 Email Reminders <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter