Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the rancid_repo_url configuration value. When a user navigates to a device's configuration page, this unsanitised value is rendered directly within an HTML anchor (<a>) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages.
Details
The vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding rancid_repo_url as a clickable link labeled "Git Repository" on the /device/{id}/showconfig UI.
Because the rancid_repo_url input is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of the href attribute context or use JavaScript URIs to attach malicious event handlers or scripts.
This vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php.
PoC
- Login as an admin and navigate to
/settings/external/rancid.
- Add a valid path to
rancid_configs. This can be any directory ended with .git.
- Put
"></a><img/src/onerror=alert(1)><a x=" into rancid_repo_url config.
- Navigate to a device page and click
Config (Or visit /device/{id}/showconfig directly).
- The XSS is triggered when visiting the page. It will pop up an alert dialog.
Other Payloads
javascript:alert(1)" x=" - triggered by clicking the link.- ``" onmouseover="alert(1)" x="` - triggered by hovering on the link
Impact
Since an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator's session, potentially leading to session hijacking or unauthorized data exposure.
Remediation Advice
Ensure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier.
CVE Request
CVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/
References
YuriNek0 Reporter
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the
rancid_repo_urlconfiguration value. When a user navigates to a device's configuration page, this unsanitised value is rendered directly within an HTML anchor (<a>) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages.Details
The vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding
rancid_repo_urlas a clickable link labeled "Git Repository" on the/device/{id}/showconfigUI.Because the
rancid_repo_urlinput is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of thehrefattribute context or use JavaScript URIs to attach malicious event handlers or scripts.This vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php.
PoC
/settings/external/rancid.rancid_configs. This can be any directory ended with.git."></a><img/src/onerror=alert(1)><a x="intorancid_repo_urlconfig.Config(Or visit/device/{id}/showconfigdirectly).Other Payloads
javascript:alert(1)" x="- triggered by clicking the link.Impact
Since an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator's session, potentially leading to session hijacking or unauthorized data exposure.
Remediation Advice
Ensure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier.
CVE Request
CVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/
References