NetBox v3.7.0 vulnerability

[joaolucasmacedo]

Hi everyone.
Is anyone familiar with this issue?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0948

I get concerned about it and didn't see any fix on last release.

[jeremystretch]

FYI I fixed your link.

It's CVE farming: People find some way to trigger some low-risk bug or discover some out-of-date dependency and submit a vulnerability report without actually understanding whether the behavior presents real risk. Unfortunately, anyone can file a CVE for anything; the whole process is completely unmoderated and unvalidated AFAICT.

A vulnerability, which was classified as problematic, has been found in NetBox up to 3.7.0. This issue affects some unknown processing of the file /core/config-revisions of the component Home Page Configuration. The manipulation with the input <<h1 onload=alert(1)>>test</h1> leads to cross site scripting.

Obviously, an administrator with access to modify the application configuration can enter whatever content they choose, whether via the UI form or by setting it in configuration.py directly. If you have a superuser with malicious intent, you have bigger problems anyway.

NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

That's weird, there's a whole thread in the report spanning January 22-23 where I explain the above to the reporter.

This individual has submitted several invalid vulnerability reports. When asked to submit feature requests or bug reports instead, they declined. I suspect this is because such people have zero interest in actually improving open source products in any meaningful way, and are focused instead on how many vulnerabilities they can claim to have found in furtherance of their consulting services or whatever.