CVE-2024-50355 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2024-50355?

CVE-2024-50355 has a CVSS score of 4.8 (MEDIUM). This is a stored cross-site scripting (XSS) vulnerability in LibreNMS where administrators can inject malicious JavaScript into device display names. When other users view devices with these names, the script executes in their browsers. Only LibreNMS instances with admin users are affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in LibreNMS where administrators can inject malicious JavaScript into device display names. When other users view devices with these names, the script executes in their browsers. Only LibreNMS instances with admin users are affected.

💻 Affected Systems

Products:

LibreNMS

Versions: All versions before 24.10.0

Operating Systems: All platforms running LibreNMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin role to exploit; regular users cannot trigger this vulnerability.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Admin could steal session cookies, redirect users to malicious sites, or perform actions as other users, potentially leading to full account compromise.

🟠

Likely Case

Admin could perform limited client-side attacks against other users, such as session hijacking or phishing within the application.

🟢

If Mitigated

With proper input validation and output encoding, no impact beyond benign display name changes.

🌐 Internet-Facing: MEDIUM - If LibreNMS is internet-accessible, attackers could exploit admin credentials to target all users.

🏢 Internal Only: LOW - Requires admin credentials, limiting attack surface to internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials; simple JavaScript injection in display name field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.10.0

Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-4m5r-w2rq-q54q

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update to version 24.10.0 or later using git: 'git pull origin master'. 3. Run database updates: './lnms migrate'. 4. Clear cache: './lnms config:clear'.

🔧 Temporary Workarounds

Input Validation via Web Server

linux

Configure web server to block script tags in POST requests to device edit endpoints.

# For Apache: Use mod_security rules
# For Nginx: Use $request_body filtering

🧯 If You Can't Patch

Restrict admin role permissions to trusted users only
Implement Content Security Policy headers to limit script execution

🔍 How to Verify

Check if Vulnerable:

Check if LibreNMS version is below 24.10.0 and admin can edit device display names.

Check Version:

cd /opt/librenms && git describe --tags

Verify Fix Applied:

After update, attempt to inject <script>alert('test')</script> in device display name - it should be sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual device name edits containing script tags
Multiple device name changes by same admin

Network Indicators:

POST requests to /device/ with script content in display_name parameter

SIEM Query:

source="librenms" AND (uri_path="/device/" AND method="POST" AND request_body LIKE "%<script>%")

📊 Metadata

CVE ID: CVE-2024-50355

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 15, 2024

Last Updated: November 20, 2024

🔗 References

https://github.com/librenms/librenms/commit/bb4731419b592867bf974dde525e536606a52976 Patch
https://github.com/librenms/librenms/security/advisories/GHSA-4m5r-w2rq-q54q Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50355, you might also want to check these: