ghsa-gcgp-q2jq-fw52
Vulnerability from github
Published
2024-10-01 20:31
Modified
2024-10-01 21:52
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
1.9 (Low) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
Summary
LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Templates" feature
Details

Summary

A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh.

Details

The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS.

For instance, the following payload can be used to exploit the vulnerability: test1<script>{onerror=alert}throw 1337</script>

The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template.

Where the variable is being sanitized before being stored in the database: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40

Where the vulnerability is happening: https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205

PoC

  1. Navigate to the "Alert Templates" creation page in the LibreNMS interface.
  2. In the "Name" field, input the following payload: test1<script>{onerror=alert}throw 1337</script>
  3. Submit the form to create the alert template.
  4. Observe that the JavaScript executes immediately, triggering an alert popup. However, this code does not persist after refreshing the page.

Impact

This is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user's session.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-01T20:31:09Z",
    "nvd_published_at": "2024-10-01T21:15:07Z",
    "severity": "LOW"
  },
  "details": "### Summary\nA Self Cross-Site Scripting (Self-XSS) vulnerability in the \"Alert Templates\" feature allows users to inject arbitrary JavaScript into the alert template\u0027s name. This script executes immediately upon submission but does not persist after a page refresh.\n\n### Details\nThe vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the \"name\" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS.\n\nFor instance, the following payload can be used to exploit the vulnerability:\n```test1\u003cscript\u003e{onerror=alert}throw 1337\u003c/script\u003e```\n\nThe root cause of this vulnerability lies in the lack of sanitization of the \"name\" variable before it is rendered in the table. The vulnerability exists because the bootgrid function of the jQuery grid plugin does not sanitize the text being added to the table. Although tags are stripped before being added to the database (as shown in the code below), the vulnerability still allows Self-XSS during the creation of the template.\n\nWhere the variable is being sanitized before being stored in the database:\nhttps://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40\n\nWhere the vulnerability is happening:\nhttps://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205 \n\n### PoC\n1. Navigate to the \"Alert Templates\" creation page in the LibreNMS interface.\n2. In the \"Name\" field, input the following payload:\n```test1\u003cscript\u003e{onerror=alert}throw 1337\u003c/script\u003e```\n3. Submit the form to create the alert template.\n4. Observe that the JavaScript executes immediately, triggering an alert popup. However, this code does not persist after refreshing the page.\n\n### Impact\nThis is a Self Cross-Site Scripting (Self-XSS) vulnerability. Although the risk is lower compared to traditional XSS, it can still be exploited through social engineering or tricking users into entering or interacting with malicious code. This can lead to unauthorized actions or data exposure in the context of the affected user\u0027s session.\n",
  "id": "GHSA-gcgp-q2jq-fw52",
  "modified": "2024-10-01T21:52:26Z",
  "published": "2024-10-01T20:31:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gcgp-q2jq-fw52"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/f259edc19b9f0ccca484c60b1ba70a0bfff97ef5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/forms/alert-templates.inc.php#L40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/blob/0e741e365aa974a74aee6b43d1b4b759158a5c7e/includes/html/modal/alert_template.inc.php#L205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LibreNMS has Stored Cross-site Scripting vulnerability in \"Alert Templates\" feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.