Summary
In NetBox releases prior to v4.0.6 certain object fields are not properly sanitized on render, potentially allowing JavaScript code entered into those fields to be executed. Stored cross-site scripting (also known as stored XSS) occurs when a web application gathers input from a user which might be malicious (typically Javascript), and then stores that input in a data store for later use.
Affected Products
- NetBox v4.0.5 and earlier
Unaffected Products
Vulnerability Details
Certain object attributes (such as the name field of the region and location models) are incorrectly marked as "safe" strings, without being properly escaped prior to display in the web interface. As such, by inserting JavaScript in those field will result in the code being interpreted.
- Attack vectors
- The NetBox web user interface is the only known vector.
- Affected objects
- Cable terminations displayed within a table column
- Custom link names (button text)
- Object representations cited within an error message as the cause of a ProtectedError or RestrictedError exception
- Object representations displayed within the "breadcrumbs" for a nested tree (e.g. nested regions)
Impact
- Severity Level: Moderate (CVSS Score: 6.4)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Potential Impact
A malicious user with sufficient privilege is capable of injecting arbitrary script content into another user’s browsing session through XSS. Injected content may contain malicious JavaScript designed to exploit or harm a user's browser.
Mitigation and Workarounds
Only authenticated users who have been granted permission to edit these fields have an opportunity to do so. In general, untrusted users should never be granted permission to modify application data.
Solution
NetBox 4.0.6 includes a fix for this vulnerability.
Contact Information
Please forward any inquiries regarding this report to [email protected].
Disclaimer
This document is provided on an "as is" basis for informational purposes only and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. NetBox Labs reserves the right to change or update this document at any time.
ncsc-pt Reporter
Summary
In NetBox releases prior to v4.0.6 certain object fields are not properly sanitized on render, potentially allowing JavaScript code entered into those fields to be executed. Stored cross-site scripting (also known as stored XSS) occurs when a web application gathers input from a user which might be malicious (typically Javascript), and then stores that input in a data store for later use.
Affected Products
Unaffected Products
Vulnerability Details
Certain object attributes (such as the
namefield of the region and location models) are incorrectly marked as "safe" strings, without being properly escaped prior to display in the web interface. As such, by inserting JavaScript in those field will result in the code being interpreted.Impact
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:LPotential Impact
A malicious user with sufficient privilege is capable of injecting arbitrary script content into another user’s browsing session through XSS. Injected content may contain malicious JavaScript designed to exploit or harm a user's browser.
Mitigation and Workarounds
Only authenticated users who have been granted permission to edit these fields have an opportunity to do so. In general, untrusted users should never be granted permission to modify application data.
Solution
NetBox 4.0.6 includes a fix for this vulnerability.
Contact Information
Please forward any inquiries regarding this report to
[email protected].Disclaimer
This document is provided on an "as is" basis for informational purposes only and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. NetBox Labs reserves the right to change or update this document at any time.