Headline
GHSA-j8cq-7f6p-256x: LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser.
Details
Vulnerable Endpoint:
GET /maps/nodeimageParameter:
Image Name(reflected in response)Vulnerability type: Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser.
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Description
The application takes the value of the Image Name parameter from a request to /maps/nodeimage and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context.
Proof of Concept (PoC)
Construct a request that includes the following payload in the Image Name parameter. The payload below should be used exactly as provided:
<script>alert('PoC-XXS51')</script>
Steps to reproduce
Authenticate as any user allowed to manage Node Images;
Navigate the endpoint ‘/maps/nodeimage’ and click on "New Image". Choose any valide image and, on
Image Nameparameter, insert the payload above .
<img width="804" height="408" alt="image" src="https://github.com/user-attachments/assets/e6de8fc5-80a3-4cc3-81c5-2435dec25372" />
- Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with
PoC-XXS51will appear.
<img width="713" height="589" alt="image" src="https://github.com/user-attachments/assets/202d602a-5f0b-4c7c-bb89-ffd1280c9e29" />
Observed behavior
The supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the Image Name parameter.
Impact
Reflected XSS can be used to:
Execute arbitrary JavaScript in the context of any user who visits the crafted link.
Steal session cookies or authentication tokens (leading to session hijacking).
Perform actions on behalf of the victim (CSRF-like actions executed via script).
Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim.
Pivot to further attacks depending on application context and user privileges.
References
CWE-79 — Cross-Site Scripting (XSS).
OWASP XSS Prevention Cheat Sheet.
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser.
Details
Vulnerable Endpoint: GET /maps/nodeimage
Parameter: Image Name (reflected in response)
Vulnerability type: Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser.
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Description
The application takes the value of the Image Name parameter from a request to /maps/nodeimage and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context.
Proof of Concept (PoC)
Construct a request that includes the following payload in the Image Name parameter. The payload below should be used exactly as provided:
<script>alert('PoC-XXS51')</script>
Steps to reproduce
Authenticate as any user allowed to manage Node Images;
Navigate the endpoint ‘/maps/nodeimage’ and click on "New Image". Choose any valide image and, on Image Name parameter, insert the payload above .
- Observe the server response page; if vulnerable, the payload will be executed by the browser and an alert box with PoC-XXS51 will appear.
Observed behavior
The supplied payload is reflected in the HTTP response and interpreted by the browser, resulting in immediate execution (demonstrated by an alert popup). This confirms the application does not perform appropriate output encoding for the Image Name parameter.
Impact
Reflected XSS can be used to:
Execute arbitrary JavaScript in the context of any user who visits the crafted link.
Steal session cookies or authentication tokens (leading to session hijacking).
Perform actions on behalf of the victim (CSRF-like actions executed via script).
Phish users by manipulating the page UI, or exfiltrate sensitive information visible to the victim.
Pivot to further attacks depending on application context and user privileges.
References
CWE-79 — Cross-Site Scripting (XSS).
OWASP XSS Prevention Cheat Sheet.
References
- GHSA-j8cq-7f6p-256x