CVE-2024-47226

Name of the Vulnerable Software and Affected Versions NetBox version 4.1.0

Description A stored cross-site scripting (XSS) issue exists within the "Configuration History" feature of the "Admin" panel via the "/core/config-revisions/" endpoint, specifically through the "Add" action. An authenticated user can inject arbitrary JavaScript or HTML into the "Top banner" field. However, it is noted that multiple third parties have disputed this as not a vulnerability, arguing that the configuration revision banner feature is intended to contain unsanitized HTML for displaying notifications to users.

Recommendations For NetBox version 4.1.0, consider restricting the use of the "Top banner" field in the "Configuration History" feature until the issue is resolved, as it may allow the injection of arbitrary JavaScript or HTML. However, given the dispute over whether this behavior is a vulnerability or intended functionality, careful consideration should be given to any mitigation measures to avoid unnecessary restrictions on the system's functionality. At the moment, there is no information about a newer version that contains a fix for this issue.