Skip to content

Stored Cross Site Scripting Vulnerability in "Create Site Groups" function in Netbox 3.5.1 #10

Open
@anhdq201

Description

@anhdq201

Version: 3.5.1

Description

An authenticated malicious user can take advantage of a Stored XSS vulnerability in "Create Site Groups" function in the "Organization" feature.

Proof of Concept

Step 1: Go to /dcim/site-groups/, click "Add" and insert payload "<img src=1 onerror='alert(document.cookie)'/>" in "Name" field.

image

Step 2: Go to /dcim/sites/, click "Add" and select "Group"

image

**Step 3: Script excuted

image

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions