Stored XSS in Notifications in librenms/librenms
Reported on
Sep 23rd 2022
Description
It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it.
Proof of Concept
Create notification with title: `<img src=x onerror=alert(document.cookie) />`
description can be anything (there's no XSS there)
Impact
XSS is capable of hi-jacking user account, leaking confidential information from the system or even getting sensitive data.
Occurrences
notifications.inc.php L128
In the following code, there are no sanitization for the HTML tags.
The fix is to use \LibreNMS\Util\Clean::html
function on $notif['title']
variable.
SECURITY.md
exists
a year ago