GHSA-v4xv-795h-rv4h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v4xv-795h-rv4h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-v4xv-795h-rv4h/GHSA-v4xv-795h-rv4h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-v4xv-795h-rv4h
- Aliases
- Published
- 2024-01-23T14:44:22Z
- Modified
- 2025-02-15T05:42:28.462602Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
- Summary
- XSS potential in rendered Markdown fields (comments, description, notes, etc.)
- Details
-
Impact
All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.
Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:
Circuit.commentsCluster.commentsCustomField.descriptionDevice.commentsDeviceRedundancyGroup.commentsDeviceType.commentsJob.descriptionJobLogEntry.messageLocation.commentsNote.notePowerFeed.commentsProvider.noc_contactProvider.admin_contactProvider.commentsProviderNetwork.commentsRack.commentsTenant.commentsVirtualMachine.comments- Contents of any custom fields of type
markdown - Job class
descriptionattributes - The
SUPPORT_MESSAGEsystem configuration setting
are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Patches
Fixed in Nautobot versions 1.6.10 and 2.1.2.
References
https://github.com/nautobot/nautobot/pull/5133 https://github.com/nautobot/nautobot/pull/5134
- Database specific
{ "github_reviewed_at": "2024-01-23T14:44:22Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2024-01-23T00:15:26Z" }- References
-
- https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
- https://nvd.nist.gov/vuln/detail/CVE-2024-23345
- https://github.com/nautobot/nautobot/pull/5133
- https://github.com/nautobot/nautobot/pull/5134
- https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
- https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
- https://github.com/nautobot/nautobot
- https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml
Affected packages
PyPI / nautobot
Package
- Name
- nautobot
- View open source insights on deps.dev
- Purl
- pkg:pypi/nautobot
PyPI / nautobot
Package
- Name
- nautobot
- View open source insights on deps.dev
- Purl
- pkg:pypi/nautobot
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.10
Affected versions
1.*
1.0.0a1
1.0.0a2
1.0.0b1
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.7
1.4.8
1.4.9
1.4.10
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.5.13
1.5.14
1.5.15
1.5.16
1.5.17
1.5.18
1.5.19
1.5.20
1.5.21
1.5.22
1.5.23
1.5.24
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9