Stored XSS Flaw in LibreNMS Network Monitoring Solution
CVE-2024-49764

5.4MEDIUM

Key Information:

Vendor: Librenms
Status: Librenms
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-49764?

A Stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS, an open-source network monitoring system. Authenticated users can exploit the flaw on the 'Capture Debug Information' page by injecting arbitrary JavaScript via the 'hostname' parameter when adding a new device. This malicious code execution occurs when the vulnerable page is accessed, potentially redirecting users and sending non-httponly cookies to an attacker-controlled domain. Users are strongly advised to update to version 24.10.0 or later to mitigate this issue.

References

https://github.com/librenms/librenms/security/advisories/...

https://github.com/librenms/librenms/commit/af15eabbb1752...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024

Librenms

What is CVE-2024-49764?

References

CVSS V3.1

Timeline