Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/IQCfcnOE5ykQSb6Fm-HFI872AZ_zeIJxU-3aDk0jh_eX_NE?e=zkN76d

ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

-- CVSS -----------------------------------------

4.3: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: LibreNMS - LibreNMS

-- VULNERABILITY DETAILS ------------------------

• Version tested: 25.10.0
• Installer file: NA
• Platform tested: NA

---

Analysis

LibreNMS Alert Rule API Stored Cross-Site Scripting

Overview

Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code.

Affected versions

The latest version at the time of writing (25.10.0) is vulnerable.

Root cause

When an alert rule is created or updated via the API, function add_edit_rule() in includes/html/api_functions.inc.php is called to add/update the entry in the database. When an alert rule is created via the web interface, HTML tags are stripped from the rule name, however this is not the case when using the API.

As such, it is possible to create an alert rule where the name is:

<script>alert(1)</script>

Later, when a victim browses to the Alerts > Alert Rule page, PHP script\xc2\xa0includes/html/print-alert/rules.php\xc2\xa0is called. It notably includes the file\xc2\xa0includes/html/modal/alert_rule_list.inc.php, which returns HTML code for a modal window that searches alert rules.

The modal window includes an HTML table with all rules, including their name, and an inline JavaScript that calls the\xc2\xa0bootgrid()\xc2\xa0function (http://www.jquery-bootgrid.com/) for styling and enhancing the table.

alert_rule.list.inc.php sanitizes the rule name with the function e() before including it in...