CVE-2024-47226
MEDIUMNetBox 4.1.0 - Stored Cross-Site Scripting in Configuration History Top Banner Field
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability exists in NetBox 4.1.0 within the "Configuration History" feature of the "Admin" panel via a /core/config-revisions/ Add action. An authenticated user can inject arbitrary JavaScript or HTML into the "Top banner" field. NOTE: Multiple third parties have disputed this as not a vulnerability. It is argued that the configuration revision banner feature is meant to contain unsanitized HTML in order to display notifications to users. Since these fields are intended to display unsanitized HTML, this is working as intended.
References (2)
Core 2
Core References
Exploit, Issue Tracking
https://github.com/tu3n4nh/netbox/issues/1
Scores
CVSS v3
5.4
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
netbox/netbox
4.1.0
Published
Sep 22, 2024
Tracked Since
Feb 18, 2026