Stored XSS in Notifications in librenms/librenms

Valid

Reported on

Sep 23rd 2022


Description

It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it.

Proof of Concept

Create notification with title: `<img src=x onerror=alert(document.cookie) />`
description can be anything (there's no XSS there)

Impact

XSS is capable of hi-jacking user account, leaking confidential information from the system or even getting sensitive data.

Occurrences

In the following code, there are no sanitization for the HTML tags. The fix is to use \LibreNMS\Util\Clean::html function on $notif['title'] variable.

We are processing your report and will contact the librenms team within 24 hours. 2 months ago
We have contacted a member of the librenms team and are waiting to hear back 2 months ago
We have sent a follow up to the librenms team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the librenms team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the librenms team. This report is now considered stale. a month ago
Tony Murray validated this vulnerability a month ago
Filip Kania has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit 8e8569 a month ago
Tony Murray has been awarded the fix bounty
This vulnerability has been assigned a CVE
notifications.inc.php#L128 has been validated
Tony Murray published this vulnerability 9 days ago
to join this conversation