Vulnerability Details : CVE-2018-18478
Potential exploit
Persistent Cross-Site Scripting (XSS) issues in LibreNMS before 1.44 allow remote attackers to inject arbitrary web script or HTML via the dashboard_name parameter in the /ajax_form.php resource, related to html/includes/forms/add-dashboard.inc.php, html/includes/forms/delete-dashboard.inc.php, and html/includes/forms/edit-dashboard.inc.php.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2018-18478
- cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-18478
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 4 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-18478
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2018-18478
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-18478
-
https://github.com/librenms/librenms/releases/tag/1.44
Release 1.44 Release (Sept 2018) · librenms/librenms · GitHubRelease Notes;Third Party Advisory
-
https://github.com/librenms/librenms/pull/9171
Sanitize data in dashboard add/edit/delete by murrant · Pull Request #9171 · librenms/librenms · GitHubThird Party Advisory
-
https://hackpuntes.com/cve-2018-18478-libre-nms-1-43-cross-site-scripting-persistente/
CVE-2018-18478 Libre NMS 1.43 - Cross-Site Scripting Persistente - HackpuntesExploit;Third Party Advisory
-
https://github.com/librenms/librenms/issues/9170
[SECURITY] Persistent Cross-Site Scripting (XSS) · Issue #9170 · librenms/librenms · GitHubExploit;Third Party Advisory
Jump to