CVE-2024-34707

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-79
View all →

Vulnerability Description

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.

Related Vulnerabilities

CVE-2016-8719

HIGH
CVSS:7.5(High)

An exploitable reflected Cross-Site Scripting vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Specially crafted input, in multip...

CWE-792016

CVE-2018-12319

HIGH
CVSS:7.5(High)

Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the title.

CWE-792018

CVE-2018-3740

HIGH
CVSS:7.5(High)

A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.

CWE-792018

CVE-2018-6010

HIGH
CVSS:7.5(High)

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Relat...

CWE-792018

CVE-2019-15816

HIGH
CVSS:7.5(High)

The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions.

CWE-792019

CVE-2019-17214

HIGH
CVSS:7.5(High)

The WebARX plugin 1.3.0 for WordPress allows firewall bypass by appending &cc=1 to a URI.

CWE-792019