LibreNMS: Cross-Site Scripting in ShowConfigController

### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the `rancid_repo_url` configuration value. When a user navigates to a device's configuration page, this unsanitised value is rendered directly within an HTML anchor (&lt;a&gt;) tag. This allows an authenticated user with permission to modify external settings to inject malicious JavaScript that will execute in the browser of any user viewing the affected device pages. ### Details The vulnerability is located in the external settings configuration block, specifically at the settings/external/rancid endpoint. When a valid rancid_configs is set, the application renders the corresponding `rancid_repo_url` as a clickable link labeled "Git Repository" on the `/device/{id}/showconfig` UI. Because the `rancid_repo_url` input is neither validated upon saving nor contextually encoded upon rendering, an attacker can break out of the `href` attribute context or use JavaScript URIs to attach malicious event handlers or scripts. This vulnerability is introduced by the line 13 of https://github.com/librenms/librenms/blob/master/includes/html/pages/device/showconfig.inc.php. ### PoC 1. Login as an admin and navigate to `/settings/external/rancid`. <img width="790" height="155" alt="image" src="https://github.com/user-attachments/assets/348fff1b-dfce-4735-9273-055113695368" /> 2. Add a valid path to `rancid_configs`. This can be any directory ended with `.git`. 3. Put `"></a><img/src/onerror=alert(1)><a x="` into `rancid_repo_url` config. <img width="909" height="276" alt="image" src="https://github.com/user-attachments/assets/b8c5d650-ba05-4326-8a2d-bea8defa7373" /> 4. Navigate to a device page and click `Config` (Or visit `/device/{id}/showconfig` directly). 5. The XSS is triggered when visiting the page. It will pop up an alert dialog. <img width="810" height="454" alt="image" src="https://github.com/user-attachments/assets/4d15784e-ff93-46ec-b13e-08a225a8d6d4" /> #### Other Payloads - `javascript:alert(1)" x="` - triggered by clicking the link. - ``" onmouseover="alert(1)" x="` - triggered by hovering on the link ### Impact Since an admin account is required to change the settings, the risk is minimal in systems with a single administrator. However, in environments with multiple administrative users, this constitutes an Admin-to-Admin Cross-Site Scripting attack. It could be used by a compromised admin account to execute arbitrary frontend code in the context of another administrator's session, potentially leading to session hijacking or unauthorized data exposure. ### Remediation Advice Ensure proper sanitisation is performed on affected fields, with all special characters escaped and HTML encoded. This can be done with existing frameworks like HTMLPurifier. ### CVE Request CVE References: https://projectblack.io/blog/librenms-authenticated-rce-and-xss/