PT-2023-24498 · Netbox · Netbox
Anhdq201
·
Published
2023-05-24
·
Updated
2024-02-02
·
CVE-2023-33795
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Netbox version 3.5.1
Description
A stored cross-site scripting (XSS) issue exists in the Create Contact Roles function, specifically at the /tenancy/contact-roles/ API endpoint, allowing attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the
Name field.Recommendations
For Netbox version 3.5.1, consider disabling the Create Contact Roles function until a patch is available to prevent exploitation of the stored XSS issue. Restrict access to the /tenancy/contact-roles/ API endpoint to minimize the risk of arbitrary script execution. Avoid using the
Name field in the Create Contact Roles function until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netbox