← Back

CVE-2024-47226

nvd nist
Published: Sep 22, 2024Modified: Jun 17, 2026

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A stored cross-site scripting (XSS) vulnerability exists in NetBox 4.1.0 within the "Configuration History" feature of the "Admin" panel via a /core/config-revisions/ Add action. An authenticated user can inject arbitrary JavaScript or HTML into the "Top banner" field. NOTE: Multiple third parties have disputed this as not a vulnerability. It is argued that the configuration revision banner feature is meant to contain unsanitized HTML in order to display notifications to users. Since these fields are intended to display unsanitized HTML, this is working as intended.

Affected (1)

Products: Netbox: Netbox
Netbox
1 product
Netbox
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Netbox
Version 4.1.0

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
ExploitIssue Tracking

Timeline

No history available yet.