Submit #270218: netbox netbox 3.7.0 XSSinfo

Titlenetbox netbox 3.7.0 XSS
Description**Security Report: Authentication XSS Vulnerability via Home Page Configuration** **Reported by:** Reza Rashidi from Hazard Lab **Severity:** High **Vulnerability Type:** Authentication Cross-Site Scripting (XSS) **Affected System:** NetBox version 3.7.0 **Overview:** A high-severity security vulnerability has been identified in the home page configuration functionality of NetBox version 3.7.0. This vulnerability allows for Authentication Cross-Site Scripting (XSS) attacks through the manipulation of configuration settings, potentially compromising the security of users interacting with the home page. **Description:** The XSS vulnerability in the home page configuration arises from a failure to properly validate and sanitize user input when configuring and rendering content on the home page in NetBox version 3.7.0. Attackers can exploit this weakness by injecting crafted HTML and JavaScript code into the home page configuration, leading to the execution of arbitrary scripts when users access the home page. **Vulnerability Details:** 1. **Input Validation:** The application lacks sufficient input validation and output encoding when handling configuration settings for the home page, allowing for the injection of malicious payloads. 2. **XSS Payload Example:** An example payload demonstrating the XSS vulnerability is as follows: htmlCopy code `<<h1 onload=alert(1)>>test</h1>` In this payload, an attacker can inject arbitrary JavaScript code (in this case, triggering an alert with the message "1") into the home page configuration. When a user accesses the home page, the injected code is executed. **Steps to Reproduce:** 1. Log in to NetBox version 3.7.0. 2. Navigate to the home page configuration settings. 3. Inject the provided XSS payload or a similar crafted payload into the configuration settings. 4. Save the changes. 5. Access the home page. 6. Observe the successful execution of the payload when users view the home page. **Reference** 1. https://drive.google.com/file/d/1tcgyzu9Fh3AMG0INR0EdOR7ZjWmBK0ZR/view?usp=sharing
Source⚠️ https://drive.google.com/file/d/1tcgyzu9Fh3AMG0INR0EdOR7ZjWmBK0ZR/view?usp=sharing
User
 rezaduty (UID 10530)
Submission01/19/2024 11:46 (2 years ago)
Moderation01/26/2024 13:49 (7 days later)
StatusAccepted
VulDB entry252191 [NetBox up to 3.7.0 Home Page Configuration /core/config-revisions cross site scripting]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!