CVE-2024-23345

Nautobot has XSS potential in rendered Markdown fields

Description

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.30%
Vendor Advisory github.com
Affected: nautobot nautobot
Published at:
Updated at:

References

Link Tags
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h vendor advisory
https://github.com/nautobot/nautobot/pull/5133 patch
https://github.com/nautobot/nautobot/pull/5134 patch
https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80 patch
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce patch

Frequently Asked Questions

What is the severity of CVE-2024-23345?
CVE-2024-23345 has been scored as a high severity vulnerability.
How to fix CVE-2024-23345?
To fix CVE-2024-23345, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-23345 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-23345 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-23345?
CVE-2024-23345 affects nautobot nautobot.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.