Login Sign Up

CVE-2024-53457

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in LibreNMS allows attackers to inject malicious scripts into the Display Name parameter in Device Settings. When other users view affected device pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. This affects LibreNMS installations running versions 24.9.0 through 24.10.0.

💻 Affected Systems

Products:
  • LibreNMS
Versions: 24.9.0 to 24.10.0
Operating Systems: All platforms running LibreNMS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full administrative access to LibreNMS, pivot to internal networks, or deploy ransomware across monitored infrastructure.

🟠

Likely Case

Attackers steal user session cookies to gain unauthorized access, modify device configurations, or deploy backdoors in the monitoring system.

🟢

If Mitigated

Limited to session hijacking of users who view the malicious device page, with no privilege escalation if proper session security is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to modify device settings. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.10.1 or later

Vendor Advisory: https://github.com/librenms/librenms/releases

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update LibreNMS to version 24.10.1 or later using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Clear browser caches.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom input validation to sanitize Display Name field before storage

Edit LibreNMS source to add HTML entity encoding for Display Name field

Web Application Firewall Rule

all

Block XSS payloads in POST requests to device settings endpoints

Add WAF rule to block scripts in 'display' parameter

🧯 If You Can't Patch

  • Restrict device modification permissions to trusted administrators only
  • Implement Content Security Policy (CSP) headers to block inline script execution

🔍 How to Verify

Check if Vulnerable:

Check LibreNMS version via web interface or CLI: 'grep version /opt/librenms/.env'

Check Version:

grep '^APP_VERSION=' /opt/librenms/.env || cat /opt/librenms/.env | grep version

Verify Fix Applied:

Verify version is 24.10.1+ and test XSS payload in Display Name field shows encoded output

📡 Detection & Monitoring

Log Indicators:

  • Unusual device name modifications containing script tags
  • Multiple failed login attempts followed by device setting changes

Network Indicators:

  • POST requests to /device/ with script payloads in parameters

SIEM Query:

source="librenms" ("display" AND ("<script>" OR "javascript:" OR "onerror="))

📊 Metadata

CVE ID: CVE-2024-53457
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: December 5, 2024
Last Updated: April 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53457, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)