### [CVE-2022-4068](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4068)
![](https://img.shields.io/static/v1?label=Product&message=librenms%2Flibrenms&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2022.10.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-915%20Improperly%20Controlled%20Modification%20of%20Dynamically-Determined%20Object%20Attributes&color=brighgreen)

### Description

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.

### POC

#### Reference
- https://huntr.dev/bounties/becfecc4-22a6-4f94-bf83-d6030b625fdc

#### Github
No PoCs found on GitHub currently.