Lucene search

Veracode Vulnerability DatabaseVERACODE:46888

HistoryMay 14, 2024 - 6:31 a.m.

Cross-Site Scripting (XSS)

2024-05-1406:31:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

nautobot

improper validation

html injection

configuration settings

stored xss

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L

5.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

nautobot is vulnerable to Cross-Site Scripting (XSS). The vulnerability is due to improper validation of the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN text, which allows an admin authenticated attacker to inject arbitrary HTML into the configuration settings via the /admin/constance/config/endpoint, potentially exposing other users to stored XSS attacks.

CPENameOperatorVersion
nautobotle1.6.21
nautobotle2.2.3
nautobotle1.6.21
nautobotle2.2.3

Name	Operator	Version
nautobot	le	1.6.21
nautobot	le	2.2.3
nautobot	le	1.6.21
nautobot	le	2.2.3

References

github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c

github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423

github.com/nautobot/nautobot/pull/5697

github.com/nautobot/nautobot/pull/5698

github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L

5.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for VERACODE:46888