CVE-2024-56144
LibreNMS Display Name 2 Stored Cross-site Scripting vulnerability
Description
# StoredXSS-LibreNMS-Display Name 2 **Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display of Librenms versions 24.11.0 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device by going to the "Device Settings" section. 3. In the "Display Name" field, enter the following payload: `"><img src onerror="alert(document.cookie)">`.  4. Save the changes. 5. The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type containing a tag (such as Core 1 in the image).  **Impact:** Execution of Malicious Code
How to fix CVE-2024-56144
To remediate CVE-2024-56144, upgrade the affected package to a fixed version below.
- —upgrade to 24.12.0 or later
Is CVE-2024-56144 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 24.11.10, < 24.12.0