CVE-2023-48705

HIGH7.1EPSS 0.29%

Cross-site Scripting potential in custom links, job buttons, and computed fields

發布日:2023/11/22修改日:2024/11/22

描述

### Impact All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected. Due to incorrect usage of Django's `mark_safe()` API when rendering certain types of user-authored content, including: - custom links - job buttons - computed fields it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content. ### Patches _Has the problem been patched? What versions should users upgrade to?_ We have fixed the incorrect uses of `mark_safe()` (generally by replacing them with appropriate use of `format_html()` instead) to prevent such malicious data from being executed. Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct fix available. ### References _Are there any links users can visit to find out more?_ - https://github.com/nautobot/nautobot/pull/4832 - https://github.com/nautobot/nautobot/pull/4833 - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe

受影響套件(2)

  • PyPI/nautobotfrom 0, < 1.6.6
  • PyPI/nautobotfrom 0, < 362850f5a94689a4c75e3188bf6de826c3b012b2, < 54abe23331b6c3d0d82bf1b028c679b1d200920d | >= 2.0.0, < 2.0.5, from 0, < 1.6.6

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

參考連結(10)