SNMP location XSS vulnerability in librenms/librenms


Reported on

Dec 19th 2022


By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed.

EDIT: I'm having difficulties developing a proper exploit for this beyond the "Alert('XSS')" PoC. But maybe someone more web-savvy than me could get it to work. Dialing down the severity in the meanwhile.

Proof of Concept

// /etc/snmp/snmpd.conf
sysLocation <script>alert('XSS')</script>
sysContact Me <>
sysServices 72
master agentx
agentaddress udp:161
view systemonly included .
view systemonly included .
rouser authPrivUser authpriv -V systemonly
includeDir /etc/snmp/snmpd.conf.d


This vulnerability can be used to fetch a javascript file from some remote location. The script can then interact with LibreNMS arbitrarily on the victim's behalf and bring up/down services, view billing information or change the victim's password. Depending on that other tabs the victim has opened, the script could potentially make requests to other websites on the victim's behalf.


I think the "location" variable should be sanitized here.

We are processing your report and will contact the librenms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
a year ago


Hello! Don't hesitate to ping me if anything is unclear! Also, is it possible to go for a CVE on this one?

Cheers! Keep up the good work :)

Zluudg modified the report
a year ago
We have contacted a member of the librenms team and are waiting to hear back a year ago
Tony Murray validated this vulnerability 4 months ago
Zluudg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 23.8.0 with commit 3252ea 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 15th 2023 has been validated
Tony Murray published this vulnerability 4 months ago
to join this conversation