nautobot has reflected Cross-site Scripting potential in all object list views

Impact

It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:

• /dcim/location-types/
• /dcim/locations/
• /dcim/racks/
• /dcim/rack-groups/
• /dcim/rack-reservations/
• /dcim/rack-elevations/
• /tenancy/tenants/
• /tenancy/tenant-groups/
• /extras/tags/
• /extras/statuses/
• /extras/roles/
• /extras/dynamic-groups/
• /dcim/devices/
• /dcim/platforms/
• /dcim/virtual-chassis/
• /dcim/device-redundancy-groups/
• /dcim/interface-redundancy-groups/
• /dcim/device-types/
• /dcim/manufacturers/
• /dcim/cables/
• /dcim/console-connections/
• /dcim/power-connections/
• /dcim/interface-connections/
• /dcim/interfaces/
• /dcim/front-ports/
• /dcim/rear-ports/
• /dcim/console-ports/
• /dcim/console-server-ports/
• /dcim/power-ports/
• /dcim/power-outlets/
• /dcim/device-bays/
• /dcim/inventory-items/
• /ipam/ip-addresses/
• /ipam/prefixes
• /ipam/rirs/
• /ipam/namespaces/
• /ipam/vrfs/
• /ipam/route-targets/
• /ipam/vlans/
• /ipam/vlan-groups/
• /ipam/services/
• /virtualization/virtual-machines/
• /virtualization/interfaces/
• /virtualization/clusters/
• /virtualization/cluster-types/
• /virtualization/cluster-groups/
• /circuits/circuits/
• /circuits/circuit-types/
• /circuits/providers/
• /circuits/provider-networks/
• /dcim/power-feeds/
• /dcim/power-panels/
• /extras/secrets/
• /extras/secrets-groups/
• /extras/jobs/
• /extras/jobs/scheduled-jobs/approval-queue/
• /extras/jobs/scheduled-jobs/
• /extras/job-results/
• /extras/job-hooks/
• /extras/job-buttons/
• /extras/object-changes/
• /extras/git-repositories/
• /extras/graphql-queries/
• /extras/relationships/
• /extras/notes/
• /extras/config-contexts/
• /extras/config-context-schemas/
• /extras/export-templates/
• /extras/external-integrations/
• /extras/webhooks/
• /extras/computed-fields/
• /extras/custom-fields/
• /extras/custom-links/

as well as any similar object-list views provided by any Nautobot App.

Patches

Fixed in Nautobot 1.6.20 and 2.2.3.

Workarounds

No workaround has been identified

References

• #5646
• #5647

Credit to Michael Panorios for reporting this issue.