CVE-2024-34707

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 1.6.22 Nautobot versions prior to 2.2.4

Description A Nautobot user with admin privileges can modify the BANNER TOP, BANNER BOTTOM, and BANNER LOGIN configuration settings via the "/admin/constance/config/" endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of BANNER LOGIN) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS).

Recommendations For Nautobot versions prior to 1.6.22 and 2.2.4, upgrade to version 1.6.22 or 2.2.4 to fix the issue. As a temporary workaround, add the following configuration to the nautobot config.py or equivalent Nautobot configuration file:

BANNER LOGIN = " "
BANNER TOP = " "
BANNER BOTTOM = " "

Alternatively, for Nautobot 2.x, set the following environment variables for the Nautobot user account:

NAUTOBOT BANNER LOGIN=" "
NAUTOBOT BANNER TOP=" "
NAUTOBOT BANNER BOTTOM=" "

Limiting all users who do not need elevated privileges to non-admin access (is superuser: False and is staff: False) is a partial mitigation as well.