Improper Encoding or Escaping of Output

CVE-2024-47528

Medium

4.8/10

Summary

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with an "admin" role can set the background for a custom map, this allows the upload of an SVG file that can contain an XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability affects librenms/librenms versions 24.2.0 prior to 24.9.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: HIGH
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

Advisory Timeline

Published Oct 01, 2024

Improper Encoding or Escaping of Output

CVE-2024-47528

Summary

CWE-116 - Improper Encoding or Escaping of Output

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS