CVE-2024-56916

Name of the Vulnerable Software and Affected Versions: Netbox Community version 4.1.7

Description: In Netbox Community, once authenticated, the Configuration History > Add option is vulnerable to cross-site scripting (XSS) due to the current value field rendering user-supplied HTML. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to add a new version, the XSS payload will trigger.

Recommendations: For Netbox Community version 4.1.7, as a temporary workaround, consider disabling the current value field in the Configuration History > Add option until a patch is available. Restrict access to the Configuration History feature to minimize the risk of exploitation. Avoid using the any banner field in the affected Configuration History version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.