CVE-2023-4981 - How a Simple DOM XSS in LibreNMS Almost Let Attackers Take Over Your Monitoring

---

Introduction

In late 2023, security researchers discovered a DOM-based Cross-site Scripting (XSS) vulnerability in the popular open-source network monitoring tool, LibreNMS. If you’re running LibreNMS before version 23.9., your installation might be at risk. This vulnerability, tracked as CVE-2023-4981, could let an attacker execute arbitrary JavaScript in your browser—and potentially gain access to sensitive data or controls.

In this post, I’ll break down what DOM XSS means, how this specific bug works (with code examples), ways hackers can exploit it, and resources for staying protected.

What Is DOM-Based Cross-site Scripting (XSS)?

Traditional XSS happens when malicious scripts are injected and saved in a website’s database, then rendered for other users. DOM-based XSS is trickier: it happens entirely on the client side, in the JavaScript code running in your browser. If client-side code uses untrusted data from the URL (or other sources) to modify the page using innerHTML, document.write, etc., it can lead to XSS.

In short: Unsafe JavaScript code can make your browser run attacker-supplied commands—even if the backend is well secured.

The Vulnerability in LibreNMS

LibreNMS prior to 23.9. failed to sanitize user-controlled data from the URL hash (location.hash) before inserting it into the page. A common pattern is to read part of the URL and display it as-is, giving attackers a chance to sneak in scripts.

Simplified Vulnerable Code

// This code runs when the page loads
window.onload = function() {
    var tab = location.hash.substr(1); // No sanitization!
    document.getElementById('main-content').innerHTML = "Current Tab: " + tab;
};

If the user visits a URL like

https://yourlibrenmsinstance/#<script>alert('Pwned!')</script>;

The page will render

<div id="main-content">
    Current Tab: <script>alert('Pwned!')</script>
</div>

Which means the script runs immediately—game over.

Proof of Concept (PoC) Exploit

Let’s make this practical. Open your LibreNMS prior to 23.9. and append the following to the URL in your browser’s address bar:

#<img src=x onerror="alert('XSS-Works!')">

When you hit enter, you’ll get a popup. In a real attack, an attacker could steal cookies, perform actions as you, or embed a keylogger.

PoC in code

// Vulnerable JS: No escaping or filtering
var urlTab = location.hash.substr(1);
mainContent.innerHTML = "Tab: " + urlTab;
// Attacker controlled: location.hash = '<img src=x onerror=alert("XSS")>'

Real-World Impact

This kind of vulnerability is very dangerous for web apps like LibreNMS that manage critical infrastructure:

- Attackers with access to the network (or through a phishing link) can hijack sessions or escalate privileges.

Exploit Details

Attack Vector: User must visit a crafted URL including a malicious fragment (hash).

Conditions: User views the link while logged into LibreNMS.

Result: Attacker executes arbitrary JavaScript in victim's session (exfiltrate cookies, perform actions, etc).

Send the following link to a target admin

https://nms.example.com/#<svg onload=alert(document.cookie)>

Upon clicking, a popup reveals their cookie—potentially including session tokens.

Official Fix

The bug was patched in pull request #15438, released with v23.9. of LibreNMS. The fix involved sanitizing hash fragments and avoiding dangerous DOM APIs for inserting user data.

Safe Fixed Example

// Fixed: converting any text to safe HTML
var tab = location.hash.substr(1);
document.getElementById('main-content').textContent = "Current Tab: " + tab;

Using textContent (not innerHTML) means no code executes, no matter what is in the hash.


## How to Fix / Protect Yourself

Update LibreNMS to 23.9. or later!

LibreNMS Releases

Always treat client-side input as untrusted—even things like location.hash.

3. Replace any code that uses innerHTML or similar with safer alternatives (textContent or libraries like DOMPurify if HTML output is needed).

References and Links

- CVE Record: CVE-2023-4981
- LibreNMS commit fixing the bug
- OWASP DOM XSS Guide
- Official LibreNMS Security Advisories

Wrapping Up

DOM-based XSS sneaks past traditional server protections; always secure frontend code with the same care as backend logic. If you use LibreNMS, update now! If you have custom code that works with the DOM, watch out for these unsafe APIs. Stay safe, and keep monitoring your monitoring tools!


*This post was made to help network admins, pen-testers, and LibreNMS users understand and protect against real-world XSS threats. If you found this useful, share it with your security team!*

Timeline

Published on: 09/15/2023 01:15:00 UTC
Last modified on: 09/20/2023 13:13:00 UTC