ghsa-frc6-pwgr-c28w
Vulnerability from github
Published
2025-10-16 16:52
Modified
2025-10-16 19:28
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Summary
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
Details

Summary

LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser.

Details

  • Injection point: Transport name field in /alert-transports.
  • Execution point: Transports column in /alert-rules.
  • Scope: Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users.

Steps to reproduce

  1. Log in with an administrator account.
  2. Navigate to:

http://localhost:8000/alert-transports 3. Click Create alert transport and provide the following values:

  • Transport name:

    html 'onfocus='alert(1)' autofocus= * Default Alert: ON * Email: test@gmail.com (or any valid email)

    Save the transport.

  • Navigate to http://localhost:8000/alert-rules. A popup alert(1) is triggered, confirming that the payload executes. image

Impact

Only accounts with the admin role who access the Alert Rules page (http://localhost:8000/alert-rules) are affected.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T16:52:13Z",
    "nvd_published_at": "2025-10-16T18:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nLibreNMS \u003c= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the `Transport name` field is stored and later rendered in the **Transports** column of the **Alert Rules** page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin\u2019s browser.\n\n### Details\n\n* **Injection point:** `Transport name` field in `/alert-transports`.\n* **Execution point:** **Transports** column in `/alert-rules`.\n* **Scope:** Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users.\n\n### Steps to reproduce\n\n1. Log in with an administrator account.\n2. Navigate to:\n\n   ```\n   http://localhost:8000/alert-transports\n   ```\n3. Click **Create alert transport** and provide the following values:\n\n   * **Transport name:**\n\n     ```html\n     \u0027onfocus=\u0027alert(1)\u0027 autofocus=\n     ```\n   * **Default Alert:** `ON`\n   * **Email:** `test@gmail.com` (or any valid email)\n   \n    Save the transport.\n   \n4. Navigate to ```http://localhost:8000/alert-rules```. A popup `alert(1)` is triggered, confirming that the payload executes.\n\u003cimg width=\"1829\" height=\"396\" alt=\"image\" src=\"https://github.com/user-attachments/assets/932ba17d-214d-4253-80b8-62539d1cfa28\" /\u003e\n\n### Impact\n\nOnly accounts with the admin role who access the **Alert Rules** page (`http://localhost:8000/alert-rules`) are affected.",
  "id": "GHSA-frc6-pwgr-c28w",
  "modified": "2025-10-16T19:28:59Z",
  "published": "2025-10-16T16:52:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/e1ead366239b57e88f9a06d4f7c213b1e2530cd8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/25.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has a Stored XSS vulnerability in its Alert Transport name field"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.