CVE-2023-48705
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2023-48705 is a cross-site scripting (XSS) vulnerability affecting users of Nautobot, a Network Source of Truth and Network Automation Platform, prior to versions 1.6.6 and 2.0.5. This issue is caused by the inappropriate use of Django's `mark_safe()` API while rendering certain types of user-authored content, including custom links, job buttons, and computed fields. Malicious payloads, such as JavaScript code, can be crafted by users with permission to create or edit these types of content, leading to the execution of arbitrary code when pages containing the manipulated content are rendered. The vulnerability has been addressed in versions 1.6.6 and 2.0.5, which users are strongly advised to upgrade to. Additionally, appropriate object permissions should be applied to restrict user access to content creation and editing features. No direct workaround is available for this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Networktocode Nautobot
Affected Vendors
- Network to Code