CVE-2022-4068

MEDIUM

LibreNMS <= 22.10.0 - Account Re-enablement and XSS

Title source: llm

Description

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

References (2)

[Patch, Third Party Advisory] https://github.com/librenms/librenms/commit/09a2977adb8bc4b1db116c725d661160c930d3a1

View Patch ZIP pw:eip

[Exploit, Patch, Third Party Advisory] https://huntr.dev/bounties/becfecc4-22a6-4f94-bf83-d6030b625fdc

Scores

CVSS v3 5.4

EPSS 0.5437

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-915 CWE-79

Status published

Products (2)

librenms/librenms < 22.10.0

librenms/librenms 0 - 22.10.0Packagist

Published Nov 20, 2022

Tracked Since Feb 18, 2026