CVE-2024-47226

MEDIUM EPSS 20.6%

Published Sep 22, 20241y ago · Modified Jun 17, 20261w ago

5.4 CVSS 3.1

Medium

Published Sep 22, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A stored cross-site scripting (XSS) vulnerability exists in NetBox 4.1.0 within the "Configuration History" feature of the "Admin" panel via a /core/config-revisions/ Add action. An authenticated user can inject arbitrary JavaScript or HTML into the "Top banner" field. NOTE: Multiple third parties have disputed this as not a vulnerability. It is argued that the configuration revision banner feature is meant to contain unsanitized HTML in order to display notifications to users. Since these fields are intended to display unsanitized HTML, this is working as intended.

CVSS Details

Base Score

5.4

Exploitability

2.3

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

20.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
netbox	netbox	4.1.0	any

References 2

github.com https://github.com/netbox-community/netbox/releases/tag/v4.1.0

Release Notes
github.com https://github.com/tu3n4nh/netbox/issues/1

ExploitIssue Tracking

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.