Monitoring

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51495 was found in the Device Overview page. This issue allows authenticated users to inject harmful code through the “overwrite_ip” parameter when editing a device. When the page is visited, the malicious code is executed, potentially compromising the accounts of other users. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51495.

In Sentry version 6.0.9 a medium severity vulnerability CVE-2024-48743 was found. This vulnerability lets attackers exploit the “z” parameter to run unauthorized code remotely. At the time of publication of the CVE, no patch is available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-48743.

In Nagios XI versions before 2024R1 a critical severity vulnerability CVE-2023-48082 was detected. This vulnerability allows attackers to generate identical API keys for all users, enabling unauthorized authentication. To address this issue, update to Nagios XI 2024R1 or later. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-48082.

In LibreNMS versions prior to 24.9.0 a medium severity vulnerability CVE-2024-47528 related to Stored Cross-Site Scripting (XSS) was detected. This vulnerability allows attackers to upload an SVG file containing an XSS payload when setting a background for a custom map. The payload triggers upon loading the map. To address this issue, users should upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47528.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47527 was detected. This vulnerability allows attackers to inject arbitrary JavaScript through the “hostname” parameter in the “Device Dependencies” feature. This could lead to the execution of malicious code within other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, updating to version 24.9.0 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47527.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47525 was detected. This Stored Cross-Site Scripting (XSS) vulnerability in the “Alert Rules” feature allows authenticated users to inject arbitrary JavaScript through the “Title” field. This can lead to the execution of malicious code in the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, users are advised to upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47525.

In LibreNMS a low severity vulnerability CVE-2024-47526 was detected. This vulnerability allows users to inject arbitrary JavaScript into the alert template’s name, which executes immediately upon submission but does not persist after a page refresh. Currently there is no fix version for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47526.

In Zabbix versions 5.0.0 – 5.0.42, 6.0.0 – 6.0.30, 6.4.0 – 6.4.15, 7.0.0alpha1 – 7.0.0rc2 a medium severity vulnerability CVE-2024-22122 was detected. This vulnerability allows attackers to execute arbitrary AT commands on a modem through specially crafted input in the “Number” field during SMS notification configuration in Zabbix, due to the lack of validation on both the web interface and server side. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, and 7.0.0rc3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22122.

In Zabbix versions 5.0.8 and 6.0.14 a medium severity vulnerability CVE-2024-36462 was detected. This vulnerability allows attackers to use too many system resources, such as CPU or memory, causing the system to slow down or crash. To fix this problem, users should upgrade Zabbix to version 7.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36462.