Cross-site scripting in Nautobot - CVE-2024-34707
Published: May 13, 2024 / Updated: May 11, 2026
Nautobot
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary HTML content into Nautobot pages.
The vulnerability exists due to cross-site scripting in the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN configuration settings via the /admin/constance/config/ endpoint when rendering banner content in web pages. A remote privileged user can modify these settings to inject arbitrary HTML content into Nautobot pages.
User interaction is required to expose other users to the injected content.