CVE-2024-34707
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-34707
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34707.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-34707
- Aliases
- Published
- 2024-05-13T19:22:41Z
- Modified
- 2025-10-22T18:42:44.458642Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
- Summary
- Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages
- Details
-
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the
BANNER_TOP,BANNER_BOTTOM, andBANNER_LOGINconfiguration settings via the/admin/constance/config/endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case ofBANNER_LOGIN) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4. - Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3
- https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c
- https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423
- https://github.com/nautobot/nautobot/pull/5697
- https://github.com/nautobot/nautobot/pull/5698
Affected packages
Git / github.com/nautobot/nautobot
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nautobot/nautobot
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/nautobot/nautobot
- Events
Affected versions
v1.*
v1.0.0
v1.0.0a1
v1.0.0a2
v1.0.0b1
v1.0.0b2
v1.0.0b3
v1.0.0b4
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.0b1
v1.1.0b2
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.2
v1.2.0
v1.2.0b1
v1.2.1
v1.2.10
v1.2.11
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3
v1.3.0
v1.3.0-beta.1
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.0-alpha.1
v1.4.0-alpha.2
v1.4.0-beta.1
v1.4.0-rc.1
v1.4.1
v1.4.10
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.0-beta.1
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.15
v1.5.16
v1.5.17
v1.5.18
v1.5.19
v1.5.2
v1.5.20
v1.5.21
v1.5.22
v1.5.23
v1.5.24
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.0-rc.1
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.2
v1.6.20
v1.6.21
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.0-beta.1
v2.2.1
v2.2.2
v2.2.3