CVE-2025-23199: 
PHP vulnerability analysis and mitigation

Librenms, a community-based GPL-licensed network monitoring system, was found to contain a stored XSS vulnerability (CVE-2025-23199) affecting versions up to 24.10.1. The vulnerability was discovered on January 16, 2025, and exists in the parameter handling of /ajax_form.php specifically in the 'descr' parameter (NVD, GitHub Advisory).

The vulnerability allows remote attackers to inject malicious scripts through the 'descr' parameter in the /ajax_form.php endpoint. When a user views or interacts with the page displaying the data, the malicious script executes immediately. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (GitHub Advisory).

The vulnerability can lead to potential unauthorized actions or data exposure when users view or interact with pages containing injected malicious scripts. The impact includes potential execution of arbitrary JavaScript code in the context of other users' browsers (GitHub Advisory).

This vulnerability has been patched in LibreNMS version 24.11.0. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (NVD).