← Back to CVE List

CVE-2024-34707

Published: 2024-05-14T15:39Z
Last Modified: 2024-11-21T09:19Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt