CVE-2024-51494
📋 TL;DR
This stored XSS vulnerability in LibreNMS allows authenticated users to inject malicious JavaScript into the Port Settings page via the 'descr' parameter. When other users view the compromised port settings, the script executes in their browser, potentially hijacking sessions or performing unauthorized actions. Only authenticated LibreNMS users can exploit this vulnerability.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could steal administrator session cookies, gain administrative privileges, and compromise the entire LibreNMS instance and monitored network devices.
Likely Case
Malicious authenticated users could perform session hijacking against other users, leading to unauthorized configuration changes or data exfiltration.
If Mitigated
With proper input validation and output encoding, the malicious script would be rendered harmless as text rather than executed.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability details are publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-7663-37rg-c377
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update LibreNMS to version 24.10.0 or later using your preferred update method (git pull, package manager, or manual download). 3. Run ./daily.sh to update the database schema if needed. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the 'descr' parameter before processing.
# Requires modifying LibreNMS source code to add proper input sanitization
Content Security Policy
allImplement a strict Content Security Policy header to prevent inline script execution.
# Add to web server configuration or application headers: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict access to the Port Settings page to only trusted administrators
- Implement web application firewall rules to block XSS payloads in the 'descr' parameter
🔍 How to Verify
Check if Vulnerable:
Check if your LibreNMS version is below 24.10.0 by visiting the About page or running 'git describe --tags' in the LibreNMS directory.Check Version:
cd /opt/librenms && git describe --tags 2>/dev/null || grep 'version' includes/html/common.inc.phpVerify Fix Applied:
After updating, verify the version is 24.10.0 or higher and test that script tags in the port description field are properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ajax_form.php with script tags in parameters
- Multiple failed login attempts followed by port modification requests
Network Indicators:
- HTTP requests containing JavaScript payloads in URL parameters or POST data
SIEM Query:
source="librenms_access.log" AND (uri_path="/ajax_form.php" AND (param="descr" AND value MATCHES "<script"))