Nautobot vulnerable to Reflected Cross-Site Scripting (Reflected XSS) attack
CVE-2024-32979

7.5HIGH

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
1 May 2024

What is CVE-2024-32979?

The vulnerability in Nautobot arises from improper handling and escaping of user-provided query parameters. This issue allows attackers to craft a malicious Nautobot URL that can execute reflected cross-site scripting (XSS) attacks on unsuspecting users. All filterable object-list views in Nautobot are susceptible to this vulnerability. To address the issue, updates have been released in Nautobot versions 1.6.20 and 2.2.3, with no workarounds available for those using affected versions. Users are strongly advised to upgrade their installations to the latest versions to safeguard against potential XSS exploitation.

Affected Version(s)

nautobot < 1.6.20 < 1.6.20

nautobot >= 2.0.0, < 2.2.3 < 2.0.0, 2.2.3

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/pull/5646
x_refsource_MISC
https://github.com/nautobot/nautobot/pull/5647
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.