Listen to this Post
A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS versions prior to 25.12.0 within the Alert Rule API . The flaw resides in improper sanitization of the alert rule name parameter during rule creation or updates via the API . When an authenticated administrator creates an alert rule, the name input is not properly filtered, allowing injection of malicious HTML and JavaScript code . The payload is stored in the database and later rendered unsafely at line 63 of `includes/html/modal/alert_rule_list.inc.php` without proper output encoding . When any administrator views the alert rules page, the injected script executes in their browser context . The vulnerability can be triggered by submitting a crafted POST request to the `/alert-rule` endpoint containing JavaScript payloads within the `builder_json` parameter or rule name field . This allows attackers with admin privileges to compromise other admin sessions, potentially leading to account takeover or unauthorized actions . The issue was addressed in version 25.12.0 by stripping HTML tags from alert rule names and notes .
Platform: LibreNMS
Version: 25.12.0
Vulnerability : Stored XSS
Severity: Medium
date: 2025-12-23
Prediction: Patch exists
What Undercode Say:
Exploit PoC - Create alert rule with XSS payload curl -X POST http://target/alert-rule \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'X-CSRF-TOKEN: [bash]' \ -d '_token=[bash]&device_id=1&name=Test+rule&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%22%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%7D%5D%2C%22valid%22%3Atrue%7D'
Check current version for vulnerability cd /opt/librenms && git status ./validate.php | grep "Version:"
Upgrade to patched version cd /opt/librenms git pull origin master git checkout 25.12.0 ./scripts/composer_wrapper.php install --no-dev ./daily.sh
Database cleanup for existing malicious rules mysql -u librenms -p librenms -e "SELECT id,name FROM alert_rules WHERE name LIKE '%<script>%' OR name LIKE '%javascript:%';" mysql -u librenms -p librenms -e "UPDATE alert_rules SET name = '[bash]' WHERE name LIKE '%<script>%' OR name LIKE '%javascript:%';"
How Exploit:
- Attacker with admin credentials navigates to device edit page and accesses alert rules section
- Creates new alert rule with malicious JavaScript payload in rule value field or rule name
- Payload gets stored in database without proper sanitization
- When any admin visits the alert rules listing page, the script executes automatically
- Malicious script can steal session cookies, perform actions on behalf of victim, or deface interface
Protection from this CVE:
Upgrade to LibreNMS version 25.12.0 or later . Implement Content Security Policy (CSP) headers to restrict script execution . Apply context-aware output encoding using `htmlspecialchars()` with `ENT_QUOTES` for all user-supplied data rendered in pages . Validate and sanitize all alert rule inputs at both client and server sides. Restrict admin account access to trusted users only.
Impact:
Successful exploitation allows attackers to execute arbitrary JavaScript in context of victim admin sessions. This can lead to session hijacking, theft of authentication cookies, credential harvesting, unauthorized configuration changes, and potential privilege escalation within the monitoring environment. The stored nature means the attack persists until the malicious rule is removed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
