CVE-2025-62365: 
PHP vulnerability analysis and mitigation

LibreNMS, an open-source PHP/MySQL/SNMP-based network monitoring system, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability in versions prior to 25.7.0. The vulnerability (CVE-2025-62365) was discovered in the report_this function within librenms/includes/functions.php, where improper filtering of the project_issues parameter could lead to XSS attacks (GitHub Advisory, NVD).

The vulnerability stems from improper filtering in the report_this function where the htmlentities function was incorrectly used in an href environment. The project_issues parameter could be manipulated to trigger an XSS vulnerability due to insufficient sanitization. The CVSS v4.0 base score is 5.5 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N, while the CVSS v3.1 base score is 6.1 (Medium) (NVD, Miggo).

The XSS vulnerability allows attackers to execute malicious scripts in users' browsers, potentially leading to unauthorized access to sensitive data, session hijacking, or malware distribution. An attacker could exploit this by crafting a malicious URL containing JavaScript code in the project_issues parameter (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 25.7.0. The fix involves completely removing the report_this function. For systems that cannot be immediately updated, it is recommended to implement filtering of dangerous protocols, such as javascript: and file: schemes (GitHub Advisory).