logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-32979 nautobot

Package

Manager: pip
Name: nautobot
Vulnerable Version: >=1.5.0 <1.6.20 || >=2.0.0 <2.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00148 pctl0.35896

Details

nautobot has reflected Cross-site Scripting potential in all object list views ### Impact It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including: - /dcim/location-types/ - /dcim/locations/ - /dcim/racks/ - /dcim/rack-groups/ - /dcim/rack-reservations/ - /dcim/rack-elevations/ - /tenancy/tenants/ - /tenancy/tenant-groups/ - /extras/tags/ - /extras/statuses/ - /extras/roles/ - /extras/dynamic-groups/ - /dcim/devices/ - /dcim/platforms/ - /dcim/virtual-chassis/ - /dcim/device-redundancy-groups/ - /dcim/interface-redundancy-groups/ - /dcim/device-types/ - /dcim/manufacturers/ - /dcim/cables/ - /dcim/console-connections/ - /dcim/power-connections/ - /dcim/interface-connections/ - /dcim/interfaces/ - /dcim/front-ports/ - /dcim/rear-ports/ - /dcim/console-ports/ - /dcim/console-server-ports/ - /dcim/power-ports/ - /dcim/power-outlets/ - /dcim/device-bays/ - /dcim/inventory-items/ - /ipam/ip-addresses/ - /ipam/prefixes - /ipam/rirs/ - /ipam/namespaces/ - /ipam/vrfs/ - /ipam/route-targets/ - /ipam/vlans/ - /ipam/vlan-groups/ - /ipam/services/ - /virtualization/virtual-machines/ - /virtualization/interfaces/ - /virtualization/clusters/ - /virtualization/cluster-types/ - /virtualization/cluster-groups/ - /circuits/circuits/ - /circuits/circuit-types/ - /circuits/providers/ - /circuits/provider-networks/ - /dcim/power-feeds/ - /dcim/power-panels/ - /extras/secrets/ - /extras/secrets-groups/ - /extras/jobs/ - /extras/jobs/scheduled-jobs/approval-queue/ - /extras/jobs/scheduled-jobs/ - /extras/job-results/ - /extras/job-hooks/ - /extras/job-buttons/ - /extras/object-changes/ - /extras/git-repositories/ - /extras/graphql-queries/ - /extras/relationships/ - /extras/notes/ - /extras/config-contexts/ - /extras/config-context-schemas/ - /extras/export-templates/ - /extras/external-integrations/ - /extras/webhooks/ - /extras/computed-fields/ - /extras/custom-fields/ - /extras/custom-links/ as well as any similar object-list views provided by any Nautobot App. ### Patches Fixed in Nautobot 1.6.20 and 2.2.3. ### Workarounds No workaround has been identified ### References - #5646 - #5647 **Credit to [Michael Panorios](mailto:michael.panorios@pwc.com) for reporting this issue.**

Metadata

Created: 2024-05-01T09:36:35Z
Modified: 2024-05-01T13:07:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jxgr-gcj5-cqqg/GHSA-jxgr-gcj5-cqqg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jxgr-gcj5-cqqg
Finding: F008
Auto approve: 1