CVE-2024-47524 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2024-47524?

CVE-2024-47524 has a CVSS score of 7.2 (HIGH). This is a stored cross-site scripting (XSS) vulnerability in LibreNMS where administrators can inject malicious JavaScript into Device Group names. When other users view these groups, the JavaScript executes in their browsers. Only LibreNMS instances with admin users are affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in LibreNMS where administrators can inject malicious JavaScript into Device Group names. When other users view these groups, the JavaScript executes in their browsers. Only LibreNMS instances with admin users are affected.

💻 Affected Systems

Products:

LibreNMS

Versions: All versions before 24.9.0

Operating Systems: All platforms running LibreNMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin role to exploit; regular users cannot trigger the vulnerability.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin could steal session cookies, redirect users to malicious sites, or perform actions as other users, potentially leading to full system compromise.

🟠

Likely Case

Admin could perform session hijacking, deface pages, or steal credentials from other users viewing device groups.

🟢

If Mitigated

With proper input validation and output encoding, no impact beyond viewing unsanitized text.

🌐 Internet-Facing: HIGH if instance is internet-accessible, as attackers could target admin accounts.

🏢 Internal Only: MEDIUM as it requires admin privileges but could still impact internal users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges; trivial to execute once admin access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.9.0

Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-fc38-2254-48g7

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update to version 24.9.0 or later via git: 'git pull origin master'. 3. Run database updates if needed: './daily.sh'. 4. Verify the fix by checking version.

🔧 Temporary Workarounds

Input Validation via Configuration

all

Implement custom input validation for Device Group names to reject JavaScript code.

Not applicable - requires code modification

🧯 If You Can't Patch

Restrict admin privileges to trusted users only and monitor admin activities.
Implement web application firewall (WAF) rules to block XSS payloads in Device Group names.

🔍 How to Verify

Check if Vulnerable:

Check if LibreNMS version is below 24.9.0 using the version check command.

Check Version:

grep 'version' /opt/librenms/LibreNMS/Version.php | grep -o "\d\+\.\d\+\.\d\+"

Verify Fix Applied:

After updating, attempt to inject JavaScript into a Device Group name and verify it's properly sanitized when viewed.

📡 Detection & Monitoring

Log Indicators:

Unusual Device Group creation/modification by admin users
Log entries showing JavaScript in Device Group names

Network Indicators:

HTTP requests containing JavaScript payloads in Device Group parameters

SIEM Query:

source="librenms.log" AND ("Device Group" AND ("script" OR "javascript" OR "onerror"))

📊 Metadata

CVE ID: CVE-2024-47524

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: October 1, 2024

Last Updated: December 19, 2024

🔗 References

https://github.com/librenms/librenms/commit/d3b51560a8e2343e520d16e9adc72c6951aa91ee Patch
https://github.com/librenms/librenms/security/advisories/GHSA-fc38-2254-48g7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47524, you might also want to check these: