7.5
CVE-2024-32979
- EPSS 0.49%
- Veröffentlicht 01.05.2024 11:15:47
- Zuletzt bearbeitet 26.08.2025 18:54:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Reflected Cross-site Scripting potential in all object list views in Nautobot
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Networktocode ≫ Nautobot Version >= 1.5.0 < 1.6.20
Networktocode ≫ Nautobot Version >= 2.0.0 < 2.2.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.382 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 7.5 | 1.6 | 5.3 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e
https://github.com/nautobot/nautobot/pull/5646
https://github.com/nautobot/nautobot/pull/5647
https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg