1. Home
  2. CVE Database
  3. CVE-2024-34707
HIGH · 7.5

CVE-2024-34707

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via...

Vulnerability Description

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW

Affected Products

VendorProductVersions
NetworktocodeNautobot< 1.6.22

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2024-34707?

CVE-2024-34707 is a vulnerability with a CVSS score of 7.5 (HIGH). Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via...

How severe is CVE-2024-34707?

CVE-2024-34707 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-34707?

Check the references section above for vendor advisories and patch information. Affected products include: Networktocode Nautobot.