Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-23345

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.

Published

2024-01-23T00:15:26.690

Last Modified

2024-11-21T08:57:33.283

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	networktocode	nautobot	< 1.6.10	Yes
Application	networktocode	nautobot	< 2.1.2	Yes

References

https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80 Patch ([email protected])
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce Patch ([email protected])
https://github.com/nautobot/nautobot/pull/5133 Patch ([email protected])
https://github.com/nautobot/nautobot/pull/5134 Patch ([email protected])
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h Vendor Advisory ([email protected])
https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nautobot/nautobot/pull/5133 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nautobot/nautobot/pull/5134 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)