#php

# StoredXSS-LibreNMS-MiscSection **Description:** Stored XSS on the parameter: `ajax_form.php` -> param: state Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: ```php $attrib_val = get_dev_attrib($device, $name); ``` within the `dynamic_override_config` function arises because the value of `$attrib_val is` retrieved from untrusted data without any sanitiz...

# StoredXSS-LibreNMS-Ports **Description:** Stored XSS on the parameter: `/ajax_form.php` -> param: descr Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device and select the "ports" section. 3. In the "Description" field, enter the following payload: `"><img src onerror="alert(1)">`. ...

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

A critical vulnerability (CVE-2024-50603) in the Aviatrix Controller allows unauthenticated RCE. Active exploitation observed by Wiz Research in…

The ABB BMS/BAS controller suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'host' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated stored cross-site scripting (XSS) vulnerability. This can be exploited by uploading a malicious .txt file containing an XSS payload, which is stored on the server and served back to users. Although the filename is sanitized via the filename POST parameter, the file contents are not inspected or sanitized, allowing attackers to inject arbitrary client-side scripts that execute in the context of any user accessing the infected file or related web page (license.php). To bypass file upload checks, the request must include the Variant string, enabling the upload process for potential exploitation.

A vulnerability was identified in a PHP script where an off-by-one error in array access could lead to undefined behavior and potential DoS. The issue arises in a loop that iterates over an array using a < condition, allowing access to an out-of-bounds index. This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets. This issue can be triggered via the rowCount POST parameter in the Electronic Security Control device update script.

The ABB BMS/BAS controller suffers from improper input validation on the port POST parameter in the webServerUpdate.php script. This input is not validated on the server side and relies on bypassable client-side checks using the inString.js script to verify that the port parameter contains only characters from the set (0123456789). Attackers can bypass these checks and supply arbitrary integer values. Exploitation of this issue can result in configuration poisoning, Denial of Service (DoS) through malformed configurations, or manipulation of server settings via Cross-Site Request Forgery (CSRF) combined with authentication bypass.

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated blind command injection vulnerability. Input passed to several POST parameters is not properly sanitized when writing files, allowing attackers to execute arbitrary shell commands on the system. There is also an off-by-one error in array access that could lead to undefined behavior and potential DoS.

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the contents of an uploaded .db file, which is passed to the copyFile.sh script. Although the filename is sanitized, the contents of the .db file are not, allowing attackers to inject malicious commands that are executed on the server.