GHSA-jxgr-gcj5-cqqg
nautobot has reflected Cross-site Scripting potential in all object list views
상세
### Impact
It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:
- /dcim/location-types/ - /dcim/locations/ - /dcim/racks/ - /dcim/rack-groups/ - /dcim/rack-reservations/ - /dcim/rack-elevations/ - /tenancy/tenants/ - /tenancy/tenant-groups/ - /extras/tags/ - /extras/statuses/ - /extras/roles/ - /extras/dynamic-groups/ - /dcim/devices/ - /dcim/platforms/ - /dcim/virtual-chassis/ - /dcim/device-redundancy-groups/ - /dcim/interface-redundancy-groups/ - /dcim/device-types/ - /dcim/manufacturers/ - /dcim/cables/ - /dcim/console-connections/ - /dcim/power-connections/ - /dcim/interface-connections/ - /dcim/interfaces/ - /dcim/front-ports/ - /dcim/rear-ports/ - /dcim/console-ports/ - /dcim/console-server-ports/ - /dcim/power-ports/ - /dcim/power-outlets/ - /dcim/device-bays/ - /dcim/inventory-items/ - /ipam/ip-addresses/ - /ipam/prefixes - /ipam/rirs/ - /ipam/namespaces/ - /ipam/vrfs/ - /ipam/route-targets/ - /ipam/vlans/ - /ipam/vlan-groups/ - /ipam/services/ - /virtualization/virtual-machines/ - /virtualization/interfaces/ - /virtualization/clusters/ - /virtualization/cluster-types/ - /virtualization/cluster-groups/ - /circuits/circuits/ - /circuits/circuit-types/ - /circuits/providers/ - /circuits/provider-networks/ - /dcim/power-feeds/ - /dcim/power-panels/ - /extras/secrets/ - /extras/secrets-groups/ - /extras/jobs/ - /extras/jobs/scheduled-jobs/approval-queue/ - /extras/jobs/scheduled-jobs/ - /extras/job-results/ - /extras/job-hooks/ - /extras/job-buttons/ - /extras/object-changes/ - /extras/git-repositories/ - /extras/graphql-queries/ - /extras/relationships/ - /extras/notes/ - /extras/config-contexts/ - /extras/config-context-schemas/ - /extras/export-templates/ - /extras/external-integrations/ - /extras/webhooks/ - /extras/computed-fields/ - /extras/custom-fields/ - /extras/custom-links/
as well as any similar object-list views provided by any Nautobot App.
### Patches
Fixed in Nautobot 1.6.20 and 2.2.3.
### Workarounds
No workaround has been identified
### References
- #5646 - #5647
**Credit to [Michael Panorios](mailto:michael.panorios@pwc.com) for reporting this issue.**
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-32979 [ADVISORY]
- https://github.com/nautobot/nautobot/pull/5646 [WEB]
- https://github.com/nautobot/nautobot/pull/5647 [WEB]
- https://github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146 [WEB]
- https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e [WEB]
- https://github.com/nautobot/nautobot [PACKAGE]
- https://github.com/nautobot/nautobot/releases/tag/v1.6.20 [WEB]
- https://github.com/nautobot/nautobot/releases/tag/v2.2.3 [WEB]