CVE-2022-0576: 
PHP vulnerability analysis and mitigation

Cross-site Scripting (XSS) vulnerability in LibreNMS prior to version 22.1.0 allows attackers to execute arbitrary javascript code which affected the Alerts module (Alert Transport) in the Transport name field (NetbyteSEC Blog, CVE Mitre).

The vulnerability exists in the Alert Transport module of LibreNMS where the Transport name field was not properly sanitized. The issue was fixed by implementing input sanitization using strip_tags() function on the transport_id, name, and transport-type variables (GitHub Commit). The vulnerability has been assigned a CVSS 3.0 Vector of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating a medium risk level (NetbyteSEC Blog).

The successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the user's browser, potentially leading to theft of sensitive information or manipulation of the web interface (NetbyteSEC Blog).

The vulnerability has been fixed in LibreNMS version 22.2.0. Users are advised to upgrade to this version or later to address the security issue (NetbyteSEC Blog).

The vendor responded promptly to the disclosure, acknowledging the security issue on February 13, 2022, and released a security advisory through Twitter along with patches in version 22.2.0 on February 16, 2022 (NetbyteSEC Blog).