GHSA-FRC6-PWGR-C28W

Vulnerability from github – Published: 2025-10-16 16:52 – Updated: 2025-10-16 19:28
VLAI?
Summary
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
Details

Summary

LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser.

Details

  • Injection point: Transport name field in /alert-transports.
  • Execution point: Transports column in /alert-rules.
  • Scope: Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users.

Steps to reproduce

  1. Log in with an administrator account.
  2. Navigate to:

http://localhost:8000/alert-transports 3. Click Create alert transport and provide the following values:

  • Transport name:

    html 'onfocus='alert(1)' autofocus= * Default Alert: ON * Email: test@gmail.com (or any valid email)

    Save the transport.

  • Navigate to http://localhost:8000/alert-rules. A popup alert(1) is triggered, confirming that the payload executes. image

Impact

Only accounts with the admin role who access the Alert Rules page (http://localhost:8000/alert-rules) are affected.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T16:52:13Z",
    "nvd_published_at": "2025-10-16T18:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nLibreNMS \u003c= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the `Transport name` field is stored and later rendered in the **Transports** column of the **Alert Rules** page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin\u2019s browser.\n\n### Details\n\n* **Injection point:** `Transport name` field in `/alert-transports`.\n* **Execution point:** **Transports** column in `/alert-rules`.\n* **Scope:** Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users.\n\n### Steps to reproduce\n\n1. Log in with an administrator account.\n2. Navigate to:\n\n   ```\n   http://localhost:8000/alert-transports\n   ```\n3. Click **Create alert transport** and provide the following values:\n\n   * **Transport name:**\n\n     ```html\n     \u0027onfocus=\u0027alert(1)\u0027 autofocus=\n     ```\n   * **Default Alert:** `ON`\n   * **Email:** `test@gmail.com` (or any valid email)\n   \n    Save the transport.\n   \n4. Navigate to ```http://localhost:8000/alert-rules```. A popup `alert(1)` is triggered, confirming that the payload executes.\n\u003cimg width=\"1829\" height=\"396\" alt=\"image\" src=\"https://github.com/user-attachments/assets/932ba17d-214d-4253-80b8-62539d1cfa28\" /\u003e\n\n### Impact\n\nOnly accounts with the admin role who access the **Alert Rules** page (`http://localhost:8000/alert-rules`) are affected.",
  "id": "GHSA-frc6-pwgr-c28w",
  "modified": "2025-10-16T19:28:59Z",
  "published": "2025-10-16T16:52:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/e1ead366239b57e88f9a06d4f7c213b1e2530cd8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/25.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has a Stored XSS vulnerability in its Alert Transport name field"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.