CVE-2024-34707 Information
Description
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the BANNER_TOP BANNER_BOTTOM and BANNER_LOGIN configuration settings via the /admin/constance/config/ endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of BANNER_LOGIN) but it was reported that an admin user can make use of these settings to inject arbitrary HTML potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.
Reference
https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3 https://github.com/nautobot/nautobot/pull/5697 https://github.com/nautobot/nautobot/pull/5698 https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423
Share on: