Login Sign Up

CVE-2024-40727

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in NetBox v4.0.3 where attackers can inject malicious scripts into the Name parameter when adding console server ports. This allows execution of arbitrary web scripts or HTML in victims' browsers. Organizations running vulnerable NetBox instances are affected.

💻 Affected Systems

Products:
  • NetBox
Versions: v4.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the console server port creation interface at /dcim/console-server-ports/add/

📦 What is this software?

Netbox by Netbox

View all CVEs affecting Netbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites, potentially leading to full account compromise.

🟠

Likely Case

Attackers with access to the console server port creation interface could inject persistent XSS payloads that execute when other users view those entries, enabling session hijacking or credential theft.

🟢

If Mitigated

With proper input validation and output encoding, the payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to create console server ports (typically authenticated users). The GitHub reference shows proof-of-concept payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.0.4 or later

Vendor Advisory: https://github.com/netbox-community/netbox/releases

Restart Required: Yes

Instructions:

1. Backup your NetBox database and configuration. 2. Update NetBox to version 4.0.4 or later using pip: 'pip install --upgrade netbox'. 3. Run database migrations: 'python manage.py migrate'. 4. Restart the NetBox service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the Name parameter before processing

WAF Rule

all

Deploy a web application firewall rule to block XSS payloads in the Name parameter

🧯 If You Can't Patch

  • Restrict access to the /dcim/console-server-ports/add/ endpoint to only trusted administrators
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if NetBox version is 4.0.3 by visiting /api/ or checking the admin interface footer

Check Version:

python -c "import netbox; print(netbox.__version__)"

Verify Fix Applied:

Verify NetBox version is 4.0.4 or later and test XSS payload injection in the Name field at /dcim/console-server-ports/add/

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /dcim/console-server-ports/add/ with script tags or JavaScript in parameters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript in the 'name' parameter

SIEM Query:

source="web_logs" AND uri_path="/dcim/console-server-ports/add/" AND (param_name="name" AND param_value MATCHES "(?i)<script|javascript:")

📊 Metadata

CVE ID: CVE-2024-40727
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: July 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40727, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)