Monitoring

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-52526 was detected. This vulnerability allows authenticated users to inject arbitrary JavaScript through the “descr” parameter in the “Services” tab of the Device page. This could result in the execution of malicious code within the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52526.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51497 was found. It allows logged-in users to add harmful code through the “Custom OID” tab. OID (Object Identifier) is a unique number used to identify specific items or settings in network devices. When creating a new OID, this issue could let attackers run malicious actions on other users’ accounts. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51497.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51496 was found in the “metric” parameter of the “/wireless” and “/health” pages. This issue allows attackers to inject harmful code that runs when a user visits these pages. This could compromise the user’s session and allow unauthorized actions. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51496.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51495 was found in the Device Overview page. This issue allows authenticated users to inject harmful code through the “overwrite_ip” parameter when editing a device. When the page is visited, the malicious code is executed, potentially compromising the accounts of other users. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51495.

In Sentry version 6.0.9 a medium severity vulnerability CVE-2024-48743 was found. This vulnerability lets attackers exploit the “z” parameter to run unauthorized code remotely. At the time of publication of the CVE, no patch is available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-48743.

In Nagios XI versions before 2024R1 a critical severity vulnerability CVE-2023-48082 was detected. This vulnerability allows attackers to generate identical API keys for all users, enabling unauthorized authentication. To address this issue, update to Nagios XI 2024R1 or later. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-48082.

In LibreNMS versions prior to 24.9.0 a medium severity vulnerability CVE-2024-47528 related to Stored Cross-Site Scripting (XSS) was detected. This vulnerability allows attackers to upload an SVG file containing an XSS payload when setting a background for a custom map. The payload triggers upon loading the map. To address this issue, users should upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47528.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47527 was detected. This vulnerability allows attackers to inject arbitrary JavaScript through the “hostname” parameter in the “Device Dependencies” feature. This could lead to the execution of malicious code within other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, updating to version 24.9.0 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47527.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47525 was detected. This Stored Cross-Site Scripting (XSS) vulnerability in the “Alert Rules” feature allows authenticated users to inject arbitrary JavaScript through the “Title” field. This can lead to the execution of malicious code in the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, users are advised to upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47525.