CVE-2024-47523: 
PHP vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in LibreNMS's 'Alert Transports' feature (CVE-2024-47523). The vulnerability affects versions up to 24.7.0 and allows authenticated users to inject arbitrary JavaScript through the 'Details' section. The issue was fixed in version 24.9.0 (GitHub Advisory).

The vulnerability exists in the print-alert-transports.php file where user input in the 'Details' field is not properly sanitized before being displayed. The vulnerable code is located at line 40 of the file, where $instance->displayDetails() output is directly embedded into HTML without proper encoding. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L (GitHub Advisory).

The vulnerability allows authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. This could lead to account compromise and enable attackers to perform unauthorized actions on behalf of other users. The impact is particularly severe due to the stored nature of the XSS, which means the malicious code persists and executes whenever the affected page is viewed (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 24.9.0. The fix involves properly sanitizing user input by implementing HTML encoding for the displayed content. Users are advised to upgrade to version 24.9.0 or later to mitigate this vulnerability (GitHub Advisory).