CVE-2024-50355: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source PHP/MySQL/SNMP-based network monitoring system, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2024-50355. The vulnerability was discovered and disclosed on November 15, 2024, affecting all versions up to 24.9.0. The issue stems from improper sanitization of user input in the device Display Name field, which could allow malicious JavaScript code execution (GitHub Advisory).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the device Display Name functionality, where user input is not properly sanitized before being rendered in the browser (NVD).

The vulnerability could allow authenticated users with admin privileges to execute arbitrary JavaScript code in the context of other users' sessions. This could lead to account compromise and enable attackers to perform unauthorized actions on behalf of affected users. The impact is particularly significant as it can be triggered from multiple sources within the application (GitHub Advisory).

The vulnerability has been patched in LibreNMS version 24.10.0. Users are advised to upgrade to this version or later to address the security issue. The fix includes improved input sanitization and the addition of strip_tags in overlib popups to prevent XSS attacks (GitHub Patch).