SB2024051367 - Cross-site scripting in Nautobot
Published: May 13, 2024 Updated: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2024-34707)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary HTML content into Nautobot pages.
The vulnerability exists due to cross-site scripting in the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN configuration settings via the /admin/constance/config/ endpoint when rendering banner content in web pages. A remote privileged user can modify these settings to inject arbitrary HTML content into Nautobot pages.
User interaction is required to expose other users to the injected content.
Remediation
Install update from vendor's website.