PT-2023-24497 · Netbox · Netbox
Anhdq201
·
Published
2023-05-24
·
Updated
2024-02-02
·
CVE-2023-33794
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Netbox version 3.5.1
Description
A stored cross-site scripting (XSS) issue exists in the Create Tenants function, specifically at the /tenancy/tenants/ API endpoint, allowing attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the
Name field.Recommendations
For Netbox version 3.5.1, consider disabling the Create Tenants function until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the /tenancy/tenants/ API endpoint to minimize the risk of arbitrary script execution. Avoid using the
Name field in the Create Tenants function until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netbox