Nautobot · Nautobot · CVE-2024-34707
**Name of the Vulnerable Software and Affected Versions**
Nautobot versions prior to 1.6.22
Nautobot versions prior to 2.2.4
**Description**
A Nautobot user with admin privileges can modify the `BANNER TOP`, `BANNER BOTTOM`, and `BANNER LOGIN` configuration settings via the "/admin/constance/config/" endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS).
**Recommendations**
For Nautobot versions prior to 1.6.22 and 2.2.4, upgrade to version 1.6.22 or 2.2.4 to fix the issue.
As a temporary workaround, add the following configuration to the `nautobot config.py` or equivalent Nautobot configuration file:
```
BANNER LOGIN = " "
BANNER TOP = " "
BANNER BOTTOM = " "
```
Alternatively, for Nautobot 2.x, set the following environment variables for the Nautobot user account:
```
NAUTOBOT BANNER LOGIN=" "
NAUTOBOT BANNER TOP=" "
NAUTOBOT BANNER BOTTOM=" "
```
Limiting all users who do not need elevated privileges to non-admin access (`is superuser: False` and `is staff: False`) is a partial mitigation as well.