CVE-2024-32979
nautobot has reflected Cross-site Scripting potential in all object list views
Description
### Impact It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including: - /dcim/location-types/ - /dcim/locations/ - /dcim/racks/ - /dcim/rack-groups/ - /dcim/rack-reservations/ - /dcim/rack-elevations/ - /tenancy/tenants/ - /tenancy/tenant-groups/ - /extras/tags/ - /extras/statuses/ - /extras/roles/ - /extras/dynamic-groups/ - /dcim/devices/ - /dcim/platforms/ - /dcim/virtual-chassis/ - /dcim/device-redundancy-groups/ - /dcim/interface-redundancy-groups/ - /dcim/device-types/ - /dcim/manufacturers/ - /dcim/cables/ - /dcim/console-connections/ - /dcim/power-connections/ - /dcim/interface-connections/ - /dcim/interfaces/ - /dcim/front-ports/ - /dcim/rear-ports/ - /dcim/console-ports/ - /dcim/console-server-ports/ - /dcim/power-ports/ - /dcim/power-outlets/ - /dcim/device-bays/ - /dcim/inventory-items/ - /ipam/ip-addresses/ - /ipam/prefixes - /ipam/rirs/ - /ipam/namespaces/ - /ipam/vrfs/ - /ipam/route-targets/ - /ipam/vlans/ - /ipam/vlan-groups/ - /ipam/services/ - /virtualization/virtual-machines/ - /virtualization/interfaces/ - /virtualization/clusters/ - /virtualization/cluster-types/ - /virtualization/cluster-groups/ - /circuits/circuits/ - /circuits/circuit-types/ - /circuits/providers/ - /circuits/provider-networks/ - /dcim/power-feeds/ - /dcim/power-panels/ - /extras/secrets/ - /extras/secrets-groups/ - /extras/jobs/ - /extras/jobs/scheduled-jobs/approval-queue/ - /extras/jobs/scheduled-jobs/ - /extras/job-results/ - /extras/job-hooks/ - /extras/job-buttons/ - /extras/object-changes/ - /extras/git-repositories/ - /extras/graphql-queries/ - /extras/relationships/ - /extras/notes/ - /extras/config-contexts/ - /extras/config-context-schemas/ - /extras/export-templates/ - /extras/external-integrations/ - /extras/webhooks/ - /extras/computed-fields/ - /extras/custom-fields/ - /extras/custom-links/ as well as any similar object-list views provided by any Nautobot App. ### Patches Fixed in Nautobot 1.6.20 and 2.2.3. ### Workarounds No workaround has been identified ### References - #5646 - #5647 **Credit to [Michael Panorios](mailto:michael.panorios@pwc.com) for reporting this issue.**
How to fix CVE-2024-32979
To remediate CVE-2024-32979, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.20 or later