Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23200
Summary
The librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the `state` parameter in the `ajax_form.php`. Librenms allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue affects librenms/librenms versions 23.9.0 through 24.10.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
