High severityNVD Advisory· Published Nov 20, 2022· Updated Apr 25, 2025

Improperly Controlled Modification of Dynamically-Determined Object Attributes in librenms/librenms

CVE-2022-4068

Description

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
librenms/librenmsPackagist	< 22.10.0	22.10.0

Affected products

ghsa-coords
pkg:composer/librenms/librenms
Range: < 22.10.0
Librenms/Librenmscpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f3hw-3h74-wr98ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-4068ghsaADVISORY
github.com/librenms/librenms/commit/09a2977adb8bc4b1db116c725d661160c930d3a1ghsaWEB
huntr.dev/bounties/becfecc4-22a6-4f94-bf83-d6030b625fdcghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.027
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000