CVE-2024-47528 MEDIUM

CVE-2024-47528: LibreNMS Contains a Stored XSS via File Upload

Vendor Librenms
Product librenms
Weakness CWE-116
Published October 1, 2024
Last update December 19, 2024

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability is fixed in 24.9.0.

Key dates

02Disclosure timeline

October 1, 2024 CVE published
December 19, 2024 Record updated

Related vulnerabilities

04Related CVE