Cross-site Scripting (XSS) - Stored in librenms/librenms

Valid

Reported on

Feb 18th 2022

Stored-xss is possible when adding a rule.

Create a new Alert Rule (like below) and adjust the query like below with the following payload

"><img src=x onerror=alert(document.cookie)> alt text

Save the rule and see a xss-pop up. alt text

We are processing your report and will contact the librenms team within 24 hours. a year ago

We have contacted a member of the librenms team and are waiting to hear back a year ago

Neil Lathwood modified the report

a year ago

ribersec modified the report

a year ago

We have sent a follow up to the librenms team. We will try again in 7 days. a year ago

Neil Lathwood modified the report

a year ago

Neil Lathwood modified the report

a year ago

Neil Lathwood validated this vulnerability a year ago

ribersec has been awarded the disclosure bounty

The fix bounty is now up for grabs

Neil Lathwood marked this as fixed in 22.2.2 with commit 703745 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the librenms team within 24 hours. a year ago

We have contacted a member of the librenms team and are waiting to hear back a year ago

Neil Lathwood modified the report

a year ago

ribersec modified the report

a year ago

We have sent a follow up to the librenms team. We will try again in 7 days. a year ago

Neil Lathwood modified the report

a year ago

Neil Lathwood modified the report

a year ago

Neil Lathwood validated this vulnerability a year ago

ribersec has been awarded the disclosure bounty

The fix bounty is now up for grabs

Neil Lathwood marked this as fixed in 22.2.2 with commit 703745 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation