LibreNMS, Reflected Cross-Site Scripting, CVE-2025-XXXXX (Moderate)

By /

Listen to this Post

The CVE-2025-XXXXX vulnerability in LibreNMS is a Reflected Cross-Site Scripting (XSS) flaw located within the `report_this` function in /includes/functions.php. The issue arises from improper neutralization of user-controlled input that is subsequently output within an `href` attribute. The function uses `htmlentities()` for encoding, which is effective for content placed inside HTML element bodies but is insufficient for attributes. An attacker can craft a malicious URL where the `project_issues` parameter contains a `javascript:` scheme payload. When a user clicks the generated hyperlink, the malicious JavaScript code executes in the context of the victim’s session. This occurs because the `htmlentities()` function does not escape colon characters, allowing the `javascript:` pseudo-protocol to remain active and trigger upon user interaction.
Platform: LibreNMS
Version: Master branch
Vulnerability: Reflected XSS
Severity: Moderate

date: 2025-10-13

Prediction: Patch by 2025-10-20

What Undercode Say:

Searching for the vulnerable code pattern
grep -n "report_this" includes/functions.php
grep -n "project_issues" includes/html/functions.inc.php
Example of a malicious HTTP request triggering the vulnerability
curl -G 'http://librenms-host/ajax_form.php' --data-urlencode 'project_issues=javascript:alert<code>1</code>'

// Vulnerable code snippet from includes/functions.php
function report_this($text) {
// ...
$project_issues = htmlentities($_GET['project_issues']);
return "<a href='$project_issues'>$text</a>"; // XSS occurs here
}

How Exploit:

Attacker sends a crafted link with a malicious `project_issues` parameter. A victim user must click the link, executing the attacker’s script in their browser session, potentially stealing cookies or performing actions on their behalf.

Protection from this CVE:

Apply vendor patch. Implement strict output encoding contextually, using `urlencode()` for URL parameters and `htmlspecialchars()` with `ENT_QUOTES` for HTML attributes. Validate and sanitize all user input, rejecting any `javascript:` or other dangerous URL schemes.

Impact:

Session hijacking, unauthorized actions, data theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top