CVE-2024-50355 MEDIUM

CVE-2024-50355: LibreNMS has a Persistent XSS from Insecure Input Sanitization Affects Multiple Endpoints

Vendor Librenms

Product librenms

Weakness CWE-79 · XSS

Published November 15, 2024

Last update November 15, 2024

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input in the device Display Name, if java script code is inside the name of the device Display Name, its can be trigger from different sources. This vulnerability is fixed in 24.10.0.

Key dates

02Disclosure timeline

November 15, 2024 CVE published

November 15, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-50355 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-26887 WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.21.35 - Cross Site Scripting (XSS) vulnerability CVE-2024-11806 PKT1 Centro de envios <= 1.2.1 - Reflected Cross-Site Scripting CVE-2025-14985 Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta CVE-2025-5661 code-projects Traffic Offense Reporting System Setting save-settings.php cross site scripting CVE-2022-1336 Carousel CK <= 1.1.0 - Admin+ Stored Cross-Site Scripting