CVE-2024-52526
📋 TL;DR
This stored XSS vulnerability in LibreNMS allows authenticated users to inject malicious JavaScript into the Services tab description field. When other users view the compromised device page, the script executes in their browser session, potentially hijacking accounts or performing unauthorized actions. Only authenticated LibreNMS users can exploit this vulnerability.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
An attacker could hijack administrator sessions, gain full system control, steal credentials, modify monitoring configurations, or pivot to other systems.
Likely Case
Privilege escalation within LibreNMS, session hijacking of other users, or data theft from user browsers.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, or if user privileges are strictly controlled.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is straightforward to exploit once authenticated, as it involves injecting JavaScript into the 'descr' parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-8fh4-942r-jf2g
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 24.10.0 or later using your preferred update method (git pull, package manager, or manual download). 3. Run ./daily.sh to update database schema if needed. 4. Clear browser caches and verify the fix.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the 'descr' parameter before storage.
Modify relevant PHP files to apply htmlspecialchars() or similar sanitization to user input in service descriptions.
Output Encoding
allApply proper output encoding when displaying service descriptions in the web interface.
Ensure all echo/print statements for service descriptions use htmlspecialchars() with ENT_QUOTES flag.
🧯 If You Can't Patch
- Restrict user permissions to only trusted administrators who need to add/edit services.
- Implement a web application firewall (WAF) with XSS protection rules for the LibreNMS application.
🔍 How to Verify
Check if Vulnerable:
Check if your LibreNMS version is below 24.10.0 by visiting About page or running: grep 'version.*=' /opt/librenms/includes/variables.inc.phpCheck Version:
grep "\$config\['version'\]" /opt/librenms/includes/variables.inc.phpVerify Fix Applied:
After updating, verify version is 24.10.0 or higher and test that JavaScript in service descriptions is properly escaped when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual service description entries containing script tags or JavaScript code in LibreNMS logs
- Multiple service modifications from single user in short timeframe
Network Indicators:
- HTTP POST requests to /ajax_form.php with suspicious 'descr' parameter content
SIEM Query:
source="librenms_access.log" AND ("POST /ajax_form.php" AND descr CONTAINS "<script" OR "javascript:")