CVE-2023-48705: Cross-site Scripting potential in custom links, job buttons, and computed fields
(updated )
All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected.
Due to incorrect usage of Django’s mark_safe() API when rendering certain types of user-authored content, including:
- custom links
- job buttons
- computed fields
it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content.
References
- docs.djangoproject.com/en/3.2/ref/utils/
- docs.djangoproject.com/en/3.2/ref/utils/
- github.com/advisories/GHSA-cf9f-wmhp-v4pr
- github.com/nautobot/nautobot
- github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2
- github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d
- github.com/nautobot/nautobot/pull/4832
- github.com/nautobot/nautobot/pull/4833
- github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr
- github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-285.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-48705
Code Behaviors & Features
Detect and mitigate CVE-2023-48705 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →