Cross-site scripting in Nautobot - CVE-2024-34707

 

Cross-site scripting in Nautobot - CVE-2024-34707

Published: May 13, 2024 / Updated: May 11, 2026


Vulnerability identifier: #VU130960
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-34707
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Nautobot
Affected software:
Nautobot

Detailed vulnerability description

The vulnerability allows a remote user to inject arbitrary HTML content into Nautobot pages.

The vulnerability exists due to cross-site scripting in the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN configuration settings via the /admin/constance/config/ endpoint when rendering banner content in web pages. A remote privileged user can modify these settings to inject arbitrary HTML content into Nautobot pages.

User interaction is required to expose other users to the injected content.


How to mitigate CVE-2024-34707

Install security update from vendor's website.

Sources