Description
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.
References (5)
Core 5
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3
Exploit, Patch x_refsource_misc
https://github.com/nautobot/nautobot/pull/5697
Exploit, Patch x_refsource_misc
https://github.com/nautobot/nautobot/pull/5698
Patch x_refsource_misc
https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c
Scores
CVSS v3
7.5
EPSS
0.0027
EPSS Percentile
50.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
networktocode/nautobot
< 1.6.22
pypi/nautobot
0 - 1.6.22PyPI
Published
May 14, 2024
Tracked Since
Feb 18, 2026