---
A recently disclosed vulnerability, CVE-2023-33797, impacts NetBox v3.5.1, a popular open source infrastructure resource modeling app. This security bug allows a malicious user to inject arbitrary web scripts (a type of stored cross-site scripting, or XSS) in the Name field when creating a Site. This post breaks down the vulnerability, explains how it works, shows a code snippet for exploitation, and provides trusted references for further reading.
What is CVE-2023-33797?
This vulnerability happens because NetBox does not sanitize user input for the Name field on the page /dcim/sites/ when you create a new site. An attacker can inject a script that gets stored in the database and executed in the browser of anyone who visits the Sites page afterward — including privileged admin users.
Attack Scenario:
The script fires in the admin’s browser with their cookies and permissions.
> “Stored XSS” is dangerous because it targets any future visitors, not just one person.
Where is the Bug?
When you go to Sites > Add (/dcim/sites/add/) in NetBox, you fill out a form. The “Name” field is saved and displayed later. NetBox v3.5.1 doesn’t sanitize this against scripts or HTML.
In the Name field, an attacker could enter
"><img src=x onerror=alert('XSS by CVE-2023-33797')>
Or, a more subtle one
<script>alert('CVE-2023-33797 XSS')</script>
`
http(s)://[netbox-domain]/dcim/sites/add/
`html
alert(document.cookie)
Screenshot Example
(Since I can't provide images here, but an attacker would see a popup triggered on the Sites list.)
Impact
- Steal admin cookies / sessions
Mitigation
- Update NetBox: Fixed in NetBox v3.5.3
- Input Sanitization: Implement robust input/output escaping in both frontend and backend.
Somewhere in Django templates
<td>{{ site.name }}</td>
If site.name is not escaped, injected HTML is rendered as code.
GitHub Advisory:
https://github.com/netbox-community/netbox/security/advisories/GHSA-qrgf-4p2v-rr3c
NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-33797
Patch Commit:
https://github.com/netbox-community/netbox/commit/77e82ae2dfd6626e40f61ca6ffe6691b23d8b8
Conclusion
CVE-2023-33797 shows how ignoring input sanitization can expose high-value apps. NetBox admins should update to the latest version ASAP. If you’re building web apps, *always* encode or escape user input before displaying it.
Update now – and stay safe!
*For educational purposes only. Do not exploit systems you do not have permission to test.*
Further Reading:
- OWASP: Cross-site Scripting (XSS)
Timeline
Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC