CVE-2023-48705

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Nov 22, 2023
Updated: Nov 29, 2023
CWE ID 79

Summary

CVE-2023-48705 is a cross-site scripting vulnerability that affects users of Nautobot versions earlier than 1.6.6 or 2.0.5, which is a Network Source of Truth and Network Automation Platform. This vulnerability arises due to incorrect usage of Django's mark_safe() API when rendering certain types of user-authored content, potentially allowing users with permission to create or edit this content to craft malicious payloads that could be executed when rendering pages containing this content. The maintainers have fixed this issue by replacing the incorrect uses of mark_safe() with appropriate use of format_html(). It is recommended for Nautobot 1.6.x users to upgrade to version 1.6.6 and Nautobot 2.0.x users to upgrade to version 2.0.5. This vulnerability poses a medium risk with low privileges required and user interaction required, potentially impacting confidentiality and integrity of data but not availability.

Note: This summary includes facts from the given text but does not include the information about affected products due to space limitations in the paragraph report format provided.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-48705 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options