CVE-2024-23345 HIGH

CVE-2024-23345: Nautobot has XSS potential in rendered Markdown fields

Vendor Nautobot

Product nautobot

Weakness CWE-79 · XSS

Published January 22, 2024

Last update May 30, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.

Key dates

02Disclosure timeline

January 22, 2024 CVE published

May 30, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23345 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2024-23345

CWE CWE-79

CVSS 7.1 / HIGH

Affected versions

Vendor Nautobot

Product nautobot

Affected >= 2.0.0, < 2.1.2

Vendor Nautobot

Product nautobot

Affected < 1.6.10

CVE-2024-23345: Nautobot has XSS potential in rendered Markdown fields

01Description

02Disclosure timeline

03References

04Related CVE