CVE-2024-49758
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in LibreNMS where administrators can inject malicious JavaScript into device notes. When the ExamplePlugin is enabled, this JavaScript executes in the context of other users viewing the device. Only LibreNMS instances with the ExamplePlugin enabled are affected.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full account compromise.
Likely Case
Malicious admin could execute limited JavaScript in other users' browsers, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, no impact as the JavaScript would be properly sanitized.
🎯 Exploit Status
Requires admin privileges to add malicious notes and the ExamplePlugin must be enabled. Exploitation is straightforward once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-c86q-rj37-8f85
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 24.10.0 or later using your preferred update method (git pull, package manager, or manual download). 3. Run ./daily.sh to update the database schema if needed.
🔧 Temporary Workarounds
Disable ExamplePlugin
allDisable the ExamplePlugin to prevent exploitation of this vulnerability
Edit LibreNMS configuration to remove or comment out ExamplePlugin references
Restart web server if necessary
Input Validation
allImplement additional input validation for device notes field
Add custom validation rules to sanitize HTML/JavaScript input in device notes
🧯 If You Can't Patch
- Disable the ExamplePlugin immediately
- Restrict admin privileges to trusted users only and monitor admin activity
🔍 How to Verify
Check if Vulnerable:
Check if LibreNMS version is below 24.10.0 and ExamplePlugin is enabled in configurationCheck Version:
cd /opt/librenms && git describe --tags 2>/dev/null || grep 'version' config.phpVerify Fix Applied:
Verify version is 24.10.0 or later and test that JavaScript in device notes is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in device notes
- Multiple note updates from admin accounts
- ExamplePlugin activation logs
Network Indicators:
- Suspicious outbound connections from LibreNMS server after viewing device notes
SIEM Query:
source="librenms_logs" AND ("device notes" OR "ExamplePlugin") AND (javascript OR script OR alert)