---

A recently disclosed vulnerability, CVE-2023-33797, impacts NetBox v3.5.1, a popular open source infrastructure resource modeling app. This security bug allows a malicious user to inject arbitrary web scripts (a type of stored cross-site scripting, or XSS) in the Name field when creating a Site. This post breaks down the vulnerability, explains how it works, shows a code snippet for exploitation, and provides trusted references for further reading.

What is CVE-2023-33797?

This vulnerability happens because NetBox does not sanitize user input for the Name field on the page /dcim/sites/ when you create a new site. An attacker can inject a script that gets stored in the database and executed in the browser of anyone who visits the Sites page afterward — including privileged admin users.

Attack Scenario:

The script fires in the admin’s browser with their cookies and permissions.

> “Stored XSS” is dangerous because it targets any future visitors, not just one person.

Where is the Bug?

When you go to Sites > Add (/dcim/sites/add/) in NetBox, you fill out a form. The “Name” field is saved and displayed later. NetBox v3.5.1 doesn’t sanitize this against scripts or HTML.

In the Name field, an attacker could enter

"><img src=x onerror=alert('XSS by CVE-2023-33797')>

Or, a more subtle one

<script>alert('CVE-2023-33797 XSS')</script>

`

http(s)://[netbox-domain]/dcim/sites/add/

`html

alert(document.cookie)

Screenshot Example

(Since I can't provide images here, but an attacker would see a popup triggered on the Sites list.)

Impact

- Steal admin cookies / sessions

Mitigation

- Update NetBox: Fixed in NetBox v3.5.3
- Input Sanitization: Implement robust input/output escaping in both frontend and backend.

Somewhere in Django templates

<td>{{ site.name }}</td>

If site.name is not escaped, injected HTML is rendered as code.

GitHub Advisory:

https://github.com/netbox-community/netbox/security/advisories/GHSA-qrgf-4p2v-rr3c

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2023-33797

Patch Commit:

https://github.com/netbox-community/netbox/commit/77e82ae2dfd6626e40f61ca6ffe6691b23d8b8

Conclusion

CVE-2023-33797 shows how ignoring input sanitization can expose high-value apps. NetBox admins should update to the latest version ASAP. If you’re building web apps, *always* encode or escape user input before displaying it.

Update now – and stay safe!

*For educational purposes only. Do not exploit systems you do not have permission to test.*


Further Reading:  
- OWASP: Cross-site Scripting (XSS)

Timeline

Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC