GHSA-6G2V-66CH-6XMH
Vulnerability from github – Published: 2025-10-16 20:18 – Updated: 2025-10-16 20:18Executive Summary
Product: LibreNMS
Vendor: LibreNMS
Vulnerability Type: Cross-Site Scripting (XSS)
CVSS Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
Affected Version: 25.8.0 (latest at time of discovery)
POC File: Download POC
Ticket: ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability
Vulnerability Details
Description
Trend Micro's Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.
Technical Details
Version Tested: 25.8.0
Installer File: 25.8.0.tar.gz
Download Link: https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz
Platform: N/A
Attack Vector
When browsing to Alerts > Alert Rules page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.
Root Cause Analysis
Vulnerable Request
When creating or updating an alert rule, the following HTTP POST request is sent to /ajax_form.php:
``` POST /ajax_form.php HTTP/1.1 ...
_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx&device_id=-1&device_name=&rule_id=&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D&name=%3Ci%3Efoo%3C%2Fi%3E&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=42&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&proc=¬es=&adv_query=
### Code Flow
1. **Request Processing:** PHP script `includes/html/forms/alert-rules.inc.php` processes the request
2. **Sanitization Attempt:** Calls `strip_tags()` to sanitize the `name` parameter
3. **Database Operation:** Calls `dbUpdate()` or `dbInsert()` to save the rule
### Bypass Technique
The sanitization can be bypassed using XML character references:
```html
<script>alert(1)</script>
Execution Path
- Page Load: Victim browses to Alerts > Alert Rules page
- Script Execution:
includes/html/print-alert/rules.phpis called - Modal Inclusion: Includes
includes/html/modal/alert_rule_list.inc.phpwhich returns HTML for modal window - Table Rendering: Modal contains HTML table with all rules and inline JavaScript calling
bootgrid()function - XSS Trigger: The
bootgrid()function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references - Code Execution: Browser interprets the decoded payload as HTML tags and executes the injected script
Proof of Concept
Usage
python3 poc.py client ip_addr -U <username> -P <password>
Optional Parameters
-E [kvp|multipart]- Specify HTTP request parameter encoding
Credit
Discovered by: Simon Humbert of Trend Research, Trend Micro
About Zero Day Initiative (ZDI)
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
References
- ZDI Website: http://www.zerodayinitiative.com
- Disclosure Policy: http://www.zerodayinitiative.com/advisories/disclosure_policy/
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.8.0"
},
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62412"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T20:18:32Z",
"nvd_published_at": "2025-10-16T18:15:39Z",
"severity": "LOW"
},
"details": "## Executive Summary\n\n**Product:** LibreNMS \n**Vendor:** LibreNMS \n**Vulnerability Type:** Cross-Site Scripting (XSS) \n**CVSS Score:** 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L) \n**Affected Version:** 25.8.0 (latest at time of discovery) \n**POC File:** [Download POC](https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/EQYQOiGddUtOtz6739YUFU4B5FkNob_TvKBYEA8P6lSRQw?e=lDOR5W)\n**Ticket:** ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability\n\n## Vulnerability Details\n\n### Description\nTrend Micro\u0027s Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.\n\n### Technical Details\n\n**Version Tested:** 25.8.0 \n**Installer File:** 25.8.0.tar.gz \n**Download Link:** https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz \n**Platform:** N/A\n\n### Attack Vector\nWhen browsing to **Alerts \u003e Alert Rules** page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.\n\n## Root Cause Analysis\n\n### Vulnerable Request\nWhen creating or updating an alert rule, the following HTTP POST request is sent to `/ajax_form.php`:\n\n ```\nPOST /ajax_form.php HTTP/1.1\n...\n\n_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx\u0026device_id=-1\u0026device_name=\u0026rule_id=\u0026type=alert-rules\u0026template_id=\u0026builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D\u0026name=%3Ci%3Efoo%3C%2Fi%3E\u0026builder_rule_0_filter=access_points.accesspoint_id\u0026builder_rule_0_operator=equal\u0026builder_rule_0_value_0=42\u0026severity=warning\u0026count=1\u0026delay=1m\u0026interval=5m\u0026recovery=on\u0026acknowledgement=on\u0026proc=\u0026notes=\u0026adv_query=\n```\n\n### Code Flow\n\n1. **Request Processing:** PHP script `includes/html/forms/alert-rules.inc.php` processes the request\n2. **Sanitization Attempt:** Calls `strip_tags()` to sanitize the `name` parameter\n3. **Database Operation:** Calls `dbUpdate()` or `dbInsert()` to save the rule\n\n### Bypass Technique\nThe sanitization can be bypassed using XML character references:\n\n```html\n\u0026lt;script\u003ealert(1)\u0026lt;/script\u003e\n```\n\n### Execution Path\n\n1. **Page Load:** Victim browses to Alerts \u003e Alert Rules page\n2. **Script Execution:** `includes/html/print-alert/rules.php` is called\n3. **Modal Inclusion:** Includes `includes/html/modal/alert_rule_list.inc.php` which returns HTML for modal window\n4. **Table Rendering:** Modal contains HTML table with all rules and inline JavaScript calling `bootgrid()` function\n5. **XSS Trigger:** The `bootgrid()` function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references\n6. **Code Execution:** Browser interprets the decoded payload as HTML tags and executes the injected script\n\n## Proof of Concept\n\n### Usage\n```bash\npython3 poc.py client ip_addr -U \u003cusername\u003e -P \u003cpassword\u003e\n```\n\n### Optional Parameters\n- `-E [kvp|multipart]` - Specify HTTP request parameter encoding\n\n## Credit\n\n**Discovered by:** Simon Humbert of Trend Research, Trend Micro\n\n## About Zero Day Initiative (ZDI)\n\nEstablished by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.\n\n## References\n\n- **ZDI Website:** http://www.zerodayinitiative.com\n- **Disclosure Policy:** http://www.zerodayinitiative.com/advisories/disclosure_policy/",
"id": "GHSA-6g2v-66ch-6xmh",
"modified": "2025-10-16T20:18:32Z",
"published": "2025-10-16T20:18:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6g2v-66ch-6xmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62412"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/dccdf6769976a974d70f06a7ce8d5a846b29db6f"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/releases/tag/25.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS alert-rules has a Cross-Site Scripting Vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.