7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.4%
All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.
Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:
Circuit.comments
Cluster.comments
CustomField.description
Device.comments
DeviceRedundancyGroup.comments
DeviceType.comments
Job.description
JobLogEntry.message
Location.comments
Note.note
PowerFeed.comments
Provider.noc_contact
Provider.admin_contact
Provider.comments
ProviderNetwork.comments
Rack.comments
Tenant.comments
VirtualMachine.comments
markdown
description
attributesSUPPORT_MESSAGE
system configuration settingare potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Fixed in Nautobot versions 1.6.10 and 2.1.2.
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
github.com/nautobot/nautobot
github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
github.com/nautobot/nautobot/pull/5133
github.com/nautobot/nautobot/pull/5134
github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml
nvd.nist.gov/vuln/detail/CVE-2024-23345
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.4%