Stored XSS in Notifications in librenms/librenms

Valid

Reported on

Sep 23rd 2022


Description

It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it.

Proof of Concept

Create notification with title: `<img src=x onerror=alert(document.cookie) />`
description can be anything (there's no XSS there)

Impact

XSS is capable of hi-jacking user account, leaking confidential information from the system or even getting sensitive data.

Occurrences

In the following code, there are no sanitization for the HTML tags. The fix is to use \LibreNMS\Util\Clean::html function on $notif['title'] variable.

We are processing your report and will contact the librenms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the librenms team and are waiting to hear back a year ago
We have sent a follow up to the librenms team. We will try again in 7 days. a year ago
We have sent a second follow up to the librenms team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the librenms team. This report is now considered stale. a year ago
Tony Murray validated this vulnerability a year ago
Filip Kania has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit 8e8569 a year ago
Tony Murray has been awarded the fix bounty
This vulnerability has been assigned a CVE
notifications.inc.php#L128 has been validated
Tony Murray published this vulnerability a year ago
to join this conversation