CVE-2018-18478

Vulnerability

Persistent Cross-Site Scripting (XSS) in LibreNMS before version 1.44 allows remote attackers to inject arbitrary web script or HTML via the dashboard_name parameter in the /ajax_form.php resource. The vulnerable code resides in html/includes/forms/add-dashboard.inc.php, delete-dashboard.inc.php, and edit-dashboard.inc.php. All versions prior to 1.44 are affected [1][2][4].

Exploitation

An attacker with network access to the LibreNMS web interface and the ability to create, edit, or delete dashboards (requires an authenticated user with appropriate permissions) can inject a malicious payload into the dashboard_name parameter. For example, using the new dashboard form, an attacker can enter `` as the dashboard name. The payload is stored and executed when other users view the dashboard list [4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, data theft, or other malicious actions, potentially compromising the entire LibreNMS instance [2][4].

Mitigation

Upgrade to LibreNMS version 1.44, released in September 2018, which fixes the issue by sanitizing the dashboard_name parameter [1][3]. No workarounds are provided; upgrading is the recommended mitigation.