CVE-2024-53457
Published: 05 December 2024
Summary
CVE-2024-53457 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Librenms Librenms. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
LibreNMS versions 24.9.0 through 24.10.0 contain a stored cross-site scripting vulnerability in the Device Settings section. The flaw, tracked as CWE-79, permits injection of arbitrary web scripts or HTML through the Display Name parameter, carrying a CVSS 3.1 score of 5.4 that reflects network attack vector, low attack complexity, and required low privileges with user interaction.
An authenticated attacker can store a crafted payload in the Display Name field; when another user subsequently views the device settings page, the script executes within the victim's browser session, enabling limited theft of session data or unauthorized actions scoped to the application.
The two provided references point to a public proof-of-concept repository demonstrating the stored XSS vector but contain no official advisory statements or patch guidance. The associated EPSS score has remained flat at 0.4082 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3436
Vulnerability details
A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in LibreNMS Device Display Name allows arbitrary JavaScript execution in victims' browsers upon viewing affected pages (e.g., Alert Rules, Custom OID, ports), enabling drive-by compromise, client-side code execution via exploitation, JavaScript interpreter usage, and theft of web session cookies or browser credentials.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.