CVE-2022-29711: 
PHP vulnerability analysis and mitigation

LibreNMS version 22.3.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the /Table/GraylogController.php component. The vulnerability was identified and disclosed in April 2022, affecting the web interface of the network monitoring system (NVD, MITRE).

The vulnerability is classified as a cross-site scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (Medium severity). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N) (NVD).

If exploited, this XSS vulnerability could allow attackers to execute arbitrary script code in the context of the web interface and potentially access sensitive browser-based information. The vulnerability affects the message handling functionality in the Graylog controller component (GitHub PR).

The vulnerability has been patched in a fix that implements proper input sanitization using htmlspecialchars() for the message and source fields in the GraylogController.php file. Users should upgrade to a version containing the fix, which was merged via pull request #13931 (GitHub Commit).