Impact
It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:
- /dcim/location-types/
- /dcim/locations/
- /dcim/racks/
- /dcim/rack-groups/
- /dcim/rack-reservations/
- /dcim/rack-elevations/
- /tenancy/tenants/
- /tenancy/tenant-groups/
- /extras/tags/
- /extras/statuses/
- /extras/roles/
- /extras/dynamic-groups/
- /dcim/devices/
- /dcim/platforms/
- /dcim/virtual-chassis/
- /dcim/device-redundancy-groups/
- /dcim/interface-redundancy-groups/
- /dcim/device-types/
- /dcim/manufacturers/
- /dcim/cables/
- /dcim/console-connections/
- /dcim/power-connections/
- /dcim/interface-connections/
- /dcim/interfaces/
- /dcim/front-ports/
- /dcim/rear-ports/
- /dcim/console-ports/
- /dcim/console-server-ports/
- /dcim/power-ports/
- /dcim/power-outlets/
- /dcim/device-bays/
- /dcim/inventory-items/
- /ipam/ip-addresses/
- /ipam/prefixes
- /ipam/rirs/
- /ipam/namespaces/
- /ipam/vrfs/
- /ipam/route-targets/
- /ipam/vlans/
- /ipam/vlan-groups/
- /ipam/services/
- /virtualization/virtual-machines/
- /virtualization/interfaces/
- /virtualization/clusters/
- /virtualization/cluster-types/
- /virtualization/cluster-groups/
- /circuits/circuits/
- /circuits/circuit-types/
- /circuits/providers/
- /circuits/provider-networks/
- /dcim/power-feeds/
- /dcim/power-panels/
- /extras/secrets/
- /extras/secrets-groups/
- /extras/jobs/
- /extras/jobs/scheduled-jobs/approval-queue/
- /extras/jobs/scheduled-jobs/
- /extras/job-results/
- /extras/job-hooks/
- /extras/job-buttons/
- /extras/object-changes/
- /extras/git-repositories/
- /extras/graphql-queries/
- /extras/relationships/
- /extras/notes/
- /extras/config-contexts/
- /extras/config-context-schemas/
- /extras/export-templates/
- /extras/external-integrations/
- /extras/webhooks/
- /extras/computed-fields/
- /extras/custom-fields/
- /extras/custom-links/
as well as any similar object-list views provided by any Nautobot App.
Patches
Fixed in Nautobot 1.6.20 and 2.2.3.
Workarounds
No workaround has been identified
References
Credit to Michael Panorios for reporting this issue.
References
michaelpanorios Reporter
Impact
It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:
as well as any similar object-list views provided by any Nautobot App.
Patches
Fixed in Nautobot 1.6.20 and 2.2.3.
Workarounds
No workaround has been identified
References
Credit to Michael Panorios for reporting this issue.
References