CVE-2024-40735
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in NetBox v4.0.3 allows authenticated attackers to inject malicious scripts into the Name parameter of power outlet edit forms. When other users view or edit these power outlets, the scripts execute in their browser context. This affects all NetBox v4.0.3 installations with authenticated user access.
💻 Affected Systems
- NetBox
📦 What is this software?
Netbox by Netbox
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through credential theft.
Likely Case
Attackers with authenticated access could perform session hijacking, deface content, or conduct phishing attacks against other users who interact with manipulated power outlets.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access. The GitHub repository shows proof-of-concept payloads for script injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.4 or later
Vendor Advisory: https://github.com/netbox-community/netbox/releases
Restart Required: Yes
Instructions:
1. Backup your NetBox database and configuration. 2. Update NetBox to v4.0.4 or later using pip: 'pip install --upgrade netbox'. 3. Run database migrations: 'python manage.py migrate'. 4. Restart the NetBox service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the Name parameter before storage.
# Add validation in appropriate view/model file
# Example: Use Django's escape() or bleach.clean()
Content Security Policy
linuxImplement strict Content Security Policy headers to mitigate script execution.
# Add to web server config (nginx example):
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';" always;
🧯 If You Can't Patch
- Restrict user permissions to minimize who can edit power outlets
- Implement web application firewall (WAF) rules to block XSS payloads in POST requests
🔍 How to Verify
Check if Vulnerable:
Check if NetBox version is v4.0.3 by visiting /api/ or checking the admin interface footer.Check Version:
python -c "import netbox; print(netbox.__version__)"Verify Fix Applied:
After updating, verify version is v4.0.4+ and test XSS payload injection in the Name field at /dcim/power-outlets/{id}/edit/.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /dcim/power-outlets/*/edit/ with script tags or JavaScript in parameters
- Multiple failed validation attempts on Name field
Network Indicators:
- HTTP requests containing <script>, javascript:, or other XSS payload patterns in POST data
SIEM Query:
source="netbox.log" AND ("POST /dcim/power-outlets" AND ("<script>" OR "javascript:" OR "onerror="))