LibreNMS v1.54 XSS

Disclosure date:  08/19/19


LibreNMS v1.54 and possibly before are affected by numerous Cross Site Script vulnerabilities in the "Create User", "Inventory", "Add Device", "Notifications", "Alert Rule", "Create Maintenance", "Alert Template", and "Alert Template" sections of the admin console.  This could lead to cookie stealing and other malicious actions.  This vulnerability can be exploited with an authenticated account.  

Create User:

Upon selecting Save:

Inventory search:

Upon hitting enter:

Add Device:

Upon select Add Device:

Add Notification:

Upon selecting Add Notification:

Alert Rule:

Upon selecting Save Rule:

Create Maintenance:

Upon selecting Schedule maintenance:

Alert Template:

Upon selecting Create template:

Create alert transport:

Upon selecting Save Transport: