Описание
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
Impact
All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.
Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:
Circuit.commentsCluster.commentsCustomField.descriptionDevice.commentsDeviceRedundancyGroup.commentsDeviceType.commentsJob.descriptionJobLogEntry.messageLocation.commentsNote.notePowerFeed.commentsProvider.noc_contactProvider.admin_contactProvider.commentsProviderNetwork.commentsRack.commentsTenant.commentsVirtualMachine.comments- Contents of any custom fields of type
markdown - Job class
descriptionattributes - The
SUPPORT_MESSAGEsystem configuration setting
are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Patches
Fixed in Nautobot versions 1.6.10 and 2.1.2.
References
https://github.com/nautobot/nautobot/pull/5133 https://github.com/nautobot/nautobot/pull/5134
Ссылки
- https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
- https://nvd.nist.gov/vuln/detail/CVE-2024-23345
- https://github.com/nautobot/nautobot/pull/5133
- https://github.com/nautobot/nautobot/pull/5134
- https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
- https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
- https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml
Пакеты
nautobot
>= 2.0.0, < 2.1.2
2.1.2
nautobot
< 1.6.10
1.6.10
Связанные уязвимости
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.