CVE-2024-51494: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source PHP/MySQL/SNMP-based network monitoring system, was found to contain a Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page. The vulnerability, identified as CVE-2024-51494, allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when editing a device's port settings. This security issue was discovered and fixed in version 24.10.0 (GitHub Advisory).

The vulnerability exists in the EditPortsController.php file where user input from the "descr" parameter is not properly sanitized before being stored and displayed. When editing a device's port settings, an attacker can inject malicious JavaScript code that gets stored and executed when the "Port Settings" page is visited. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while GitHub assessed it with a score of 4.8 (Medium) (NVD).

The successful exploitation of this vulnerability could lead to the execution of malicious code in the context of other users' sessions when they visit the "Port Settings" page. This could potentially compromise user sessions and allow unauthorized actions to be performed on behalf of the affected users (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 24.10.0. Users are advised to upgrade to this version or later to address the security issue. The fix involves implementing proper HTML encoding using htmlentities() for output sanitization (GitHub Patch).