CVE-2024-32979 HIGH

CVE-2024-32979: Reflected Cross-site Scripting potential in all object list views in Nautobot

Vendor Nautobot
Product nautobot
Weakness CWE-79 · XSS
Published May 1, 2024
Last update August 2, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

May 1, 2024 CVE published
August 2, 2024 Record updated