Reflected XSS in librenms/librenms


Reported on

Jan 30th 2023


Reflected Cross-Site Scripting (XSS) vulnerability in LibreNMS 22.12.0 - Fri Dec 30 2022 10:11:51 GMT+0100 allows attackers to execute arbitrary external javascript code in the browser affected from /ports/group parameter.

  1. Login
  2. Navigate PoC link

Proof of Concept





This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites and allows attacker to use for further exploitation.

We are processing your report and will contact the librenms team within 24 hours. 10 months ago
A GitHub Issue asking the maintainers to create a exists 10 months ago
We have contacted a member of the librenms team and are waiting to hear back 10 months ago
9 months ago


@mantainer? any update on this?

Tony Murray validated this vulnerability 4 months ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 23.8.0 with commit 91c57a 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 15th 2023
Tony Murray published this vulnerability 4 months ago
to join this conversation