CVE-2024-32979

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 1.6.20 Nautobot versions prior to 2.2.3

Description A Reflected Cross-Site Scripting (Reflected XSS) attack can be executed against users due to improper handling and escaping of user-provided query parameters in Nautobot. All filterable object-list views in Nautobot are vulnerable, including various API endpoints such as "/dcim/location-types/", "/dcim/locations/", "/dcim/racks/", and many others.

Recommendations For versions prior to 1.6.20, update to version 1.6.20 or later. For versions prior to 2.2.3, update to version 2.2.3 or later. As a temporary workaround, consider restricting access to filterable object-list views until a patch is applied. Avoid using user-provided query parameters in affected API endpoints until the issue is resolved.