{"id":"PYSEC-2024-16","details":"Nautobot is a Network Source of Truth and Network Automation Platform built as a web application.  All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.","aliases":["CVE-2024-23345","GHSA-v4xv-795h-rv4h"],"modified":"2024-01-29T20:41:40.105029Z","published":"2024-01-23T00:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/5133"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/5134"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce"}],"affected":[{"package":{"name":"nautobot","ecosystem":"PyPI","purl":"pkg:pypi/nautobot"},"ranges":[{"type":"GIT","repo":"https://github.com/nautobot/nautobot","events":[{"introduced":"0"},{"fixed":"17effcbe84a72150c82b138565c311bbee357e80"},{"fixed":"64312a4297b5ca49b6cdedf477e41e8e4fd61cce"}]},{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.1.2"},{"introduced":"0"},{"fixed":"1.6.10"}]}],"versions":["1.0.0","1.0.0a1","1.0.0a2","1.0.0b1","1.0.0b2","1.0.0b3","1.0.0b4","1.0.1","1.0.2","1.0.3","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.2.0","1.2.1","1.2.10","1.2.11","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.3.0","1.3.1","1.3.10","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.10","1.4.2","1.4.3","1.4.4","1.4.5","1.4.7","1.4.8","1.4.9","1.5.0","1.5.1","1.5.10","1.5.11","1.5.12","1.5.13","1.5.14","1.5.15","1.5.16","1.5.17","1.5.18","1.5.19","1.5.2","1.5.20","1.5.21","1.5.22","1.5.23","1.5.24","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.0","2.1.0b1","2.1.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2024-16.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}