SNMP location XSS vulnerability in librenms/librenms
Dec 19th 2022
By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed.
EDIT: I'm having difficulties developing a proper exploit for this beyond the "Alert('XSS')" PoC. But maybe someone more web-savvy than me could get it to work. Dialing down the severity in the meanwhile.
Proof of Concept
// /etc/snmp/snmpd.conf sysLocation <script>alert('XSS')</script> sysContact Me <firstname.lastname@example.org> sysServices 72 master agentx agentaddress udp:161 view systemonly included .18.104.22.168.2.1.1 view systemonly included .22.214.171.124.126.96.36.199 rouser authPrivUser authpriv -V systemonly includeDir /etc/snmp/snmpd.conf.d