ghsa-c66p-64fj-jmc2
Vulnerability from github
StoredXSS-LibreNMS-MiscSection
Description:
Stored XSS on the parameter: ajax_form.php -> param: state
Request: ```http POST /ajax_form.php HTTP/1.1 Host: X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie:
type=override-config&device_id=1&attrib=override_icmp_disable&state="> ```
of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.
The vulnerability in the line:
php
$attrib_val = get_dev_attrib($device, $name);
within the dynamic_override_config function arises because the value of $attrib_val is retrieved from untrusted data without any sanitization or encoding (at Line 778).
When dynamic_override_config is called, the unescaped $attrib_val is injected directly into the HTML (at misc.inc.php).
Proof of Concept:
1. Add a new device through the LibreNMS interface.
2. Edit the newly created device and select the Misc section.
3. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: "><img src onerror="alert(document.cookie)">.
4. Save the changes.
5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.
Impact:
Execution of Malicious Code
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 24.10.1"
},
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "23.9.0"
},
{
"fixed": "24.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23200"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-16T17:32:55Z",
"nvd_published_at": "2025-01-16T23:15:08Z",
"severity": "MODERATE"
},
"details": "# StoredXSS-LibreNMS-MiscSection\n\n\n**Description:**\n\n\nStored XSS on the parameter: `ajax_form.php` -\u003e param: state\n\nRequest:\n```http\nPOST /ajax_form.php HTTP/1.1\nHost: \u003cyour_host\u003e\nX-Requested-With: XMLHttpRequest\nX-CSRF-TOKEN: \u003cyour_XSRF_token\u003e\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nCookie: \u003cyour_cookie\u003e\n\ntype=override-config\u0026device_id=1\u0026attrib=override_icmp_disable\u0026state=\"\u003e\u003cimg%20src%20onerror=\"alert(1)\"\u003e \n```\n\n\nof Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure.\n\n\nThe vulnerability in the line:\n```php\n$attrib_val = get_dev_attrib($device, $name);\n```\nwithin the `dynamic_override_config` function arises because the value of `$attrib_val is` retrieved from untrusted data without any sanitization or encoding (at [Line 778](https://github.com/librenms/librenms/blob/master/includes/html/functions.inc.php#L778)). \n\nWhen `dynamic_override_config` is called, the unescaped `$attrib_val` is injected directly into the HTML (at [misc.inc.php](https://github.com/librenms/librenms/blob/master/includes/html/pages/device/edit/misc.inc.php)).\n\n\n**Proof of Concept:**\n1. Add a new device through the LibreNMS interface.\n2. Edit the newly created device and select the Misc section.\n3. In any of the following fields: \"Override default ssh port\", \"Override default telnet port\", \"Override default http port\" or \"Unix agent port\", enter the payload: `\"\u003e\u003cimg src onerror=\"alert(document.cookie)\"\u003e`.\n4. Save the changes.\n5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.\n\n\n\n\n\n\n\n**Impact:**\n\nExecution of Malicious Code\n",
"id": "GHSA-c66p-64fj-jmc2",
"modified": "2025-01-17T15:52:30Z",
"published": "2025-01-16T17:32:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-c66p-64fj-jmc2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23200"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/pull/16722"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/26258a2518dbfa55b213ec4b90ec16ed97efb597"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS Misc Section Stored Cross-site Scripting vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.