CVE-2024-47526: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source PHP/MySQL/SNMP-based network monitoring system, was found to contain a Self Cross-Site Scripting (Self-XSS) vulnerability in its Alert Templates feature. The vulnerability, identified as CVE-2024-47526, allows users to inject arbitrary JavaScript into the alert template's name, which executes immediately upon submission but does not persist after a page refresh. The issue affects versions up to (excluding) 24.9.0 (GitHub Advisory).

The vulnerability occurs in the Alert Templates creation functionality. While the application sanitizes the 'name' field when storing it in the database using strip_tags(), the newly created template is added to the table without proper sanitization, enabling JavaScript injection. The root cause lies in the bootgrid function of the jQuery grid plugin, which doesn't sanitize text being added to the table. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD, GitHub Advisory).

While classified as a Self-XSS vulnerability with a lower risk compared to traditional XSS, the vulnerability can potentially be exploited through social engineering or by tricking users into entering or interacting with malicious code. This could lead to unauthorized actions or data exposure within the context of the affected user's session (GitHub Advisory).

The vulnerability has been patched in version 24.9.0 of LibreNMS. The fix involves properly escaping the template name before it is rendered in the table, as implemented in commit f259edc (GitHub Commit).