CVE-2024-51496: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source, PHP/MySQL/SNMP-based network monitoring system, contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-51496. The vulnerability was discovered in the "metric" parameter of the "/wireless" and "/health" endpoints, allowing attackers to inject arbitrary JavaScript. This security issue was fixed in version 24.10.0 (GitHub Advisory).

The vulnerability exists due to improper sanitization of the "metric" parameter in the wireless.inc.php and health.inc.php files. When a user accesses the page with a malicious "metric" parameter, the injected JavaScript code executes in the context of the user's session. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The successful exploitation of this vulnerability could result in the execution of malicious code when a user accesses the affected pages with a crafted "metric" parameter. This can potentially lead to session compromise and unauthorized actions being performed in the context of the affected user's session (GitHub Advisory).

The vulnerability has been patched in LibreNMS version 24.10.0. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory, GitHub Patch).