SB2024051367 - Cross-site scripting in Nautobot



SB2024051367 - Cross-site scripting in Nautobot

Published: May 13, 2024 Updated: May 11, 2026

Security Bulletin ID SB2024051367
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: CVE-2024-34707)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary HTML content into Nautobot pages.

The vulnerability exists due to cross-site scripting in the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN configuration settings via the /admin/constance/config/ endpoint when rendering banner content in web pages. A remote privileged user can modify these settings to inject arbitrary HTML content into Nautobot pages.

User interaction is required to expose other users to the injected content.


Remediation

Install update from vendor's website.