logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-48705 nautobot

Package

Manager: pip
Name: nautobot
Vulnerable Version: >=0 <1.6.6 || >=2.0.0 <2.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00295 pctl0.52395

Details

Cross-site Scripting potential in custom links, job buttons, and computed fields ### Impact All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected. Due to incorrect usage of Django's `mark_safe()` API when rendering certain types of user-authored content, including: - custom links - job buttons - computed fields it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content. ### Patches _Has the problem been patched? What versions should users upgrade to?_ We have fixed the incorrect uses of `mark_safe()` (generally by replacing them with appropriate use of `format_html()` instead) to prevent such malicious data from being executed. Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct fix available. ### References _Are there any links users can visit to find out more?_ - https://github.com/nautobot/nautobot/pull/4832 - https://github.com/nautobot/nautobot/pull/4833 - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe

Metadata

Created: 2023-11-22T20:55:54Z
Modified: 2024-11-22T18:13:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-cf9f-wmhp-v4pr/GHSA-cf9f-wmhp-v4pr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cf9f-wmhp-v4pr
Finding: F425
Auto approve: 1