Improperly Controlled Modification of Dynamically-Determined Object Attributes in librenms/librenms
CVE-2022-4068

7.6HIGH

Key Information:

Vendor: Librenms
Status: Librenms/librenms
Vendor: CVE Published:; 20 November 2022

What is CVE-2022-4068?

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

Affected Version(s)

librenms/librenms < 22.10.0

References

https://huntr.dev/bounties/becfecc4-22a6-4f94-bf83-d6030b...

https://github.com/librenms/librenms/commit/09a2977adb8bc...

EPSS Score

42% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2022
Vulnerability Reserved
Nov 20, 2022

Librenms

What is CVE-2022-4068?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline