We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Ok

THREATINT
PUBLISHED

CVE-2024-34707

Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages

Reserved:2024-05-07
Published:2024-05-13
Updated:2024-05-13

Description

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.



HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.6.22
affected

>= 2.0.0, < 2.2.4
affected

References

https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3

https://github.com/nautobot/nautobot/pull/5697

https://github.com/nautobot/nautobot/pull/5698

https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c

https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423

cve.org CVE-2024-34707

nvd.nist.gov CVE-2024-34707

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-34707