CVE-2024-56144: 
PHP vulnerability analysis and mitigation

LibreNMS, a community-based GPL-licensed network monitoring system, was found to contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-56144) affecting versions up to 24.11.0. The vulnerability was discovered and disclosed on January 16, 2025 (NVD, GitHub Advisory).

The vulnerability exists in the device editing functionality, specifically in the display parameter accessible via the path /device/$DEVICE_ID/edit. When a malicious script is injected into the Display Name field, it gets stored and executes when users view or interact with the page displaying the data. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity, requiring low privileges and user interaction (GitHub Advisory).

The vulnerability allows remote attackers to inject and execute malicious scripts in users' browsers when they view affected pages. This can lead to unauthorized actions and potential exposure of sensitive data within the context of the user's browser session (GitHub Advisory).

This vulnerability has been addressed in LibreNMS version 24.12.0. Users are advised to upgrade to this version or later to mitigate the risk. There are no known workarounds for this vulnerability (NVD).