CVE-2025-23200
MEDIUM4.6EPSS 4.9%LibreNMS Misc Section Stored Cross-site Scripting vulnerability
描述
# StoredXSS-LibreNMS-MiscSection **Description:** Stored XSS on the parameter: `ajax_form.php` -> param: state Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: ```php $attrib_val = get_dev_attrib($device, $name); ``` within the `dynamic_override_config` function arises because the value of `$attrib_val is` retrieved from untrusted data without any sanitization or encoding (at [Line 778](https://github.com/librenms/librenms/blob/master/includes/html/functions.inc.php#L778)). When `dynamic_override_config` is called, the unescaped `$attrib_val` is injected directly into the HTML (at [misc.inc.php](https://github.com/librenms/librenms/blob/master/includes/html/pages/device/edit/misc.inc.php)). **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device and select the Misc section. 3. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: `"><img src onerror="alert(document.cookie)">`. 4. Save the changes. 5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.   **Impact:** Execution of Malicious Code
受影響套件(1)
- Packagist/librenms/librenms>= 23.9.0, < 24.11.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-23200
- PATCHhttps://github.com/librenms/librenms
- WEBhttps://github.com/librenms/librenms/commit/26258a2518dbfa55b213ec4b90ec16ed97efb597
- WEBhttps://github.com/librenms/librenms/pull/16722
- WEBhttps://github.com/librenms/librenms/security/advisories/GHSA-c66p-64fj-jmc2