CVE-2021-31274

An attacker must first be authenticated to the LibreNMS web interface. They navigate to the API Access page (`/api-access`), click "Create API access token", and enter malicious JavaScript in the "Descr:" (description) field [ref_id=1]. When the description is later displayed on the page, the unsanitized script executes in the browser of any user viewing the API Access page, leading to stored cross-site scripting [CWE-79].

The vulnerability exists in the API Access page of LibreNMS. The `$api->description` variable is not properly sanitized before being rendered, allowing stored XSS [ref_id=1]. The fix was merged in pull request #12739 on the master branch [ref_id=1].

The advisory states the fix was merged into the master branch via pull request #12739 and was included in the stable release shortly after [ref_id=1]. While the exact diff is not shown in the advisory, the fix addresses the insufficient sanitization of the `$api->description` variable, ensuring user-controlled input is neutralized before being output in the web page [CWE-79]. Users should upgrade to LibreNMS version 21.3.0 or later.

Login to the website. Go to `[LibreNMS root URL]/api-access`. Click the "Create API access token" button. Enter `<script>alert(1)</script>` (or similar payload) in the "Descr:" field, and click "Create API Token" [ref_id=1].