ghsa-j8cq-7f6p-256x
Vulnerability from github
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser.
Details
-
Vulnerable Endpoint:
GET /maps/nodeimage -
Parameter:
Image Name(reflected in response) -
Vulnerability type: Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser.
-
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Description
The application takes the value of the Image Name parameter from a request to /maps/nodeimage and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context.
Proof of Concept (PoC)
Construct a request that includes the following payload in the Image Name parameter. The payload below should be used exactly as provided:
```
alert('PoC-XXS51')```
Steps to reproduce
-
Authenticate as any user allowed to manage Node Images;
-
Navigate the endpoint '/maps/nodeimage' and click on "New Image". Choose any valide image and, on
Image Nameparameter, insert the payload above .
- Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with
PoC-XXS51will appear.
Observed behavior
The supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the Image Name parameter.
Impact
Reflected XSS can be used to:
-
Execute arbitrary JavaScript in the context of any user who visits the crafted link.
-
Steal session cookies or authentication tokens (leading to session hijacking).
-
Perform actions on behalf of the victim (CSRF-like actions executed via script).
-
Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim.
-
Pivot to further attacks depending on application context and user privileges.
References
-
CWE-79 — Cross-Site Scripting (XSS).
-
OWASP XSS Prevention Cheat Sheet.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65013"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-18T18:21:28Z",
"nvd_published_at": "2025-11-18T23:15:56Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The `Image Name` parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim\u2019s browser.\n\n## Details\n\n- **Vulnerable Endpoint:** `GET /maps/nodeimage`\n \n- **Parameter:** `Image Name` (reflected in response)\n \n- **Vulnerability type:** Reflected Cross-Site Scripting (XSS) \u2014 input is reflected in server response and executed in victim browser.\n \n- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation \u2014 Cross-site Scripting)\n \n\n## Description\n\nThe application takes the value of the `Image Name` parameter from a request to `/maps/nodeimage` and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim\u2019s browser context.\n\n## Proof of Concept (PoC)\n\nConstruct a request that includes the following payload in the `Image Name` parameter. The payload below should be used exactly as provided:\n\n```\n\u003cscript\u003ealert(\u0027PoC-XXS51\u0027)\u003c/script\u003e\n```\n\n## Steps to reproduce\n\n1. Authenticate as any user allowed to manage Node Images;\n \n2. Navigate the endpoint \u0027/maps/nodeimage\u0027 and click on \"New Image\". Choose any valide image and, on `Image Name` parameter, insert the payload above .\n\n\u003cimg width=\"804\" height=\"408\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e6de8fc5-80a3-4cc3-81c5-2435dec25372\" /\u003e\n\n \n3. Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with `PoC-XXS51` will appear.\n\n\u003cimg width=\"713\" height=\"589\" alt=\"image\" src=\"https://github.com/user-attachments/assets/202d602a-5f0b-4c7c-bb89-ffd1280c9e29\" /\u003e\n\n## Observed behavior\n\nThe supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the `Image Name` parameter.\n\n## Impact\n\nReflected XSS can be used to:\n\n- Execute arbitrary JavaScript in the context of any user who visits the crafted link.\n \n- Steal session cookies or authentication tokens (leading to session hijacking).\n \n- Perform actions on behalf of the victim (CSRF-like actions executed via script).\n \n- Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim.\n \n- Pivot to further attacks depending on application context and user privileges.\n \n\n## References\n\n- CWE-79 \u2014 Cross-Site Scripting (XSS).\n \n- OWASP XSS Prevention Cheat Sheet.",
"id": "GHSA-j8cq-7f6p-256x",
"modified": "2025-11-19T14:22:54Z",
"published": "2025-11-18T18:21:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65013"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name` "
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.