High severityNVD Advisory· Published May 1, 2024· Updated Aug 2, 2024
Reflected Cross-site Scripting potential in all object list views in Nautobot
CVE-2024-32979
Description
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nautobotPyPI | >= 1.5.0, < 1.6.20 | 1.6.20 |
nautobotPyPI | >= 2.0.0, < 2.2.3 | 2.2.3 |
Affected products
2Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-jxgr-gcj5-cqqgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32979ghsaADVISORY
- github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146ghsaWEB
- github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64eghsax_refsource_MISCWEB
- github.com/nautobot/nautobot/pull/5646ghsax_refsource_MISCWEB
- github.com/nautobot/nautobot/pull/5647ghsax_refsource_MISCWEB
- github.com/nautobot/nautobot/releases/tag/v1.6.20ghsaWEB
- github.com/nautobot/nautobot/releases/tag/v2.2.3ghsaWEB
- github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.