Stored XSS in Notifications in librenms/librenms
Valid
Reported on
Sep 23rd 2022
Description
It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it.
Proof of Concept
Create notification with title: `<img src=x onerror=alert(document.cookie) />`
description can be anything (there's no XSS there)
Impact
XSS is capable of hi-jacking user account, leaking confidential information from the system or even getting sensitive data.
Occurrences
notifications.inc.php L128
In the following code, there are no sanitization for the HTML tags.
The fix is to use \LibreNMS\Util\Clean::html function on $notif['title'] variable.
We are processing your report and will contact the
librenms
team within 24 hours.
8 months ago
We have contacted a member of the
librenms
team and are waiting to hear back
8 months ago
We have sent a
follow up to the
librenms
team.
We will try again in 7 days.
7 months ago
We have sent a
second
follow up to the
librenms
team.
We will try again in 10 days.
7 months ago
We have sent a
third and final
follow up to the
librenms
team.
This report is now considered stale.
7 months ago
The researcher's credibility has increased: +7
notifications.inc.php#L128
has been validated
to join this conversation