ghsa-6g2v-66ch-6xmh
Vulnerability from github
Executive Summary
Product: LibreNMS
Vendor: LibreNMS
Vulnerability Type: Cross-Site Scripting (XSS)
CVSS Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
Affected Version: 25.8.0 (latest at time of discovery)
POC File: Download POC
Ticket: ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability
Vulnerability Details
Description
Trend Micro's Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.
Technical Details
Version Tested: 25.8.0
Installer File: 25.8.0.tar.gz
Download Link: https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz
Platform: N/A
Attack Vector
When browsing to Alerts > Alert Rules page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.
Root Cause Analysis
Vulnerable Request
When creating or updating an alert rule, the following HTTP POST request is sent to /ajax_form.php:
``` POST /ajax_form.php HTTP/1.1 ...
_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx&device_id=-1&device_name=&rule_id=&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D&name=%3Ci%3Efoo%3C%2Fi%3E&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=42&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&proc=¬es=&adv_query= ```
Code Flow
- Request Processing: PHP script
includes/html/forms/alert-rules.inc.phpprocesses the request - Sanitization Attempt: Calls
strip_tags()to sanitize thenameparameter - Database Operation: Calls
dbUpdate()ordbInsert()to save the rule
Bypass Technique
The sanitization can be bypassed using XML character references:
html
<script>alert(1)</script>
Execution Path
- Page Load: Victim browses to Alerts > Alert Rules page
- Script Execution:
includes/html/print-alert/rules.phpis called - Modal Inclusion: Includes
includes/html/modal/alert_rule_list.inc.phpwhich returns HTML for modal window - Table Rendering: Modal contains HTML table with all rules and inline JavaScript calling
bootgrid()function - XSS Trigger: The
bootgrid()function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references - Code Execution: Browser interprets the decoded payload as HTML tags and executes the injected script
Proof of Concept
Usage
bash
python3 poc.py client ip_addr -U <username> -P <password>
Optional Parameters
-E [kvp|multipart]- Specify HTTP request parameter encoding
Credit
Discovered by: Simon Humbert of Trend Research, Trend Micro
About Zero Day Initiative (ZDI)
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
References
- ZDI Website: http://www.zerodayinitiative.com
- Disclosure Policy: http://www.zerodayinitiative.com/advisories/disclosure_policy/
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.8.0"
},
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62412"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T20:18:32Z",
"nvd_published_at": "2025-10-16T18:15:39Z",
"severity": "LOW"
},
"details": "## Executive Summary\n\n**Product:** LibreNMS \n**Vendor:** LibreNMS \n**Vulnerability Type:** Cross-Site Scripting (XSS) \n**CVSS Score:** 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L) \n**Affected Version:** 25.8.0 (latest at time of discovery) \n**POC File:** [Download POC](https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/EQYQOiGddUtOtz6739YUFU4B5FkNob_TvKBYEA8P6lSRQw?e=lDOR5W)\n**Ticket:** ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability\n\n## Vulnerability Details\n\n### Description\nTrend Micro\u0027s Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.\n\n### Technical Details\n\n**Version Tested:** 25.8.0 \n**Installer File:** 25.8.0.tar.gz \n**Download Link:** https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz \n**Platform:** N/A\n\n### Attack Vector\nWhen browsing to **Alerts \u003e Alert Rules** page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.\n\n## Root Cause Analysis\n\n### Vulnerable Request\nWhen creating or updating an alert rule, the following HTTP POST request is sent to `/ajax_form.php`:\n\n ```\nPOST /ajax_form.php HTTP/1.1\n...\n\n_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx\u0026device_id=-1\u0026device_name=\u0026rule_id=\u0026type=alert-rules\u0026template_id=\u0026builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D\u0026name=%3Ci%3Efoo%3C%2Fi%3E\u0026builder_rule_0_filter=access_points.accesspoint_id\u0026builder_rule_0_operator=equal\u0026builder_rule_0_value_0=42\u0026severity=warning\u0026count=1\u0026delay=1m\u0026interval=5m\u0026recovery=on\u0026acknowledgement=on\u0026proc=\u0026notes=\u0026adv_query=\n```\n\n### Code Flow\n\n1. **Request Processing:** PHP script `includes/html/forms/alert-rules.inc.php` processes the request\n2. **Sanitization Attempt:** Calls `strip_tags()` to sanitize the `name` parameter\n3. **Database Operation:** Calls `dbUpdate()` or `dbInsert()` to save the rule\n\n### Bypass Technique\nThe sanitization can be bypassed using XML character references:\n\n```html\n\u0026lt;script\u003ealert(1)\u0026lt;/script\u003e\n```\n\n### Execution Path\n\n1. **Page Load:** Victim browses to Alerts \u003e Alert Rules page\n2. **Script Execution:** `includes/html/print-alert/rules.php` is called\n3. **Modal Inclusion:** Includes `includes/html/modal/alert_rule_list.inc.php` which returns HTML for modal window\n4. **Table Rendering:** Modal contains HTML table with all rules and inline JavaScript calling `bootgrid()` function\n5. **XSS Trigger:** The `bootgrid()` function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references\n6. **Code Execution:** Browser interprets the decoded payload as HTML tags and executes the injected script\n\n## Proof of Concept\n\n### Usage\n```bash\npython3 poc.py client ip_addr -U \u003cusername\u003e -P \u003cpassword\u003e\n```\n\n### Optional Parameters\n- `-E [kvp|multipart]` - Specify HTTP request parameter encoding\n\n## Credit\n\n**Discovered by:** Simon Humbert of Trend Research, Trend Micro\n\n## About Zero Day Initiative (ZDI)\n\nEstablished by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.\n\n## References\n\n- **ZDI Website:** http://www.zerodayinitiative.com\n- **Disclosure Policy:** http://www.zerodayinitiative.com/advisories/disclosure_policy/",
"id": "GHSA-6g2v-66ch-6xmh",
"modified": "2025-10-16T20:18:32Z",
"published": "2025-10-16T20:18:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6g2v-66ch-6xmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62412"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/dccdf6769976a974d70f06a7ce8d5a846b29db6f"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/releases/tag/25.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS alert-rules has a Cross-Site Scripting Vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.