Stored XSS in Notifications in librenms/librenms

Valid

Reported on

Sep 23rd 2022

Description

It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it.

Proof of Concept

Create notification with title: `<img src=x onerror=alert(document.cookie) />`
description can be anything (there's no XSS there)

Impact

XSS is capable of hi-jacking user account, leaking confidential information from the system or even getting sensitive data.

Occurrences

notifications.inc.php L128

In the following code, there are no sanitization for the HTML tags. The fix is to use \LibreNMS\Util\Clean::html function on $notif['title'] variable.

We are processing your report and will contact the librenms team within 24 hours. a year ago

We have contacted a member of the librenms team and are waiting to hear back a year ago

We have sent a follow up to the librenms team. We will try again in 7 days. a year ago

We have sent a second follow up to the librenms team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the librenms team. This report is now considered stale. a year ago

Tony Murray validated this vulnerability a year ago

Filip Kania has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Tony Murray marked this as fixed in 22.10.0 with commit 8e8569 a year ago

Tony Murray has been awarded the fix bounty

This vulnerability has been assigned a CVE

notifications.inc.php#L128 has been validated

Tony Murray published this vulnerability 10 months ago

to join this conversation