CVE-2024-32979 - Vulnerability Details - OpenCVE

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00148.

Key SSVC decision points have not yet been added.

Vendors	Products
Networktocode	Nautobot

Configuration 1 [-]

OR	cpe:2.3:a:networktocode:nautobot::::::::
	cpe:2.3:a:networktocode:nautobot::::::::

No data.

No data.

References

Link	Providers
https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e
https://github.com/nautobot/nautobot/pull/5646
https://github.com/nautobot/nautobot/pull/5647
https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg

History

Tue, 26 Aug 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Networktocode Networktocode nautobot
CPEs		cpe:2.3:a:networktocode:nautobot::::::::
Vendors & Products		Networktocode Networktocode nautobot

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-01T10:49:56.643Z

Updated: 2024-08-02T02:27:53.473Z

Reserved: 2024-04-22T15:14:59.166Z

Link: CVE-2024-32979

Vulnrichment

Updated: 2024-08-02T02:27:53.473Z

NVD

Status : Analyzed

Published: 2024-05-01T11:15:47.407

Modified: 2025-08-26T18:54:06.693

Link: CVE-2024-32979

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.166Z", "datePublished": "2024-05-01T10:49:56.643Z", "dateUpdated": "2024-08-02T02:27:53.473Z"}, "containers": {"cna": {"title": "Reflected Cross-site Scripting potential in all object list views in Nautobot", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg"}, {"name": "https://github.com/nautobot/nautobot/pull/5646", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/5646"}, {"name": "https://github.com/nautobot/nautobot/pull/5647", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/5647"}, {"name": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e"}], "affected": [{"vendor": "nautobot", "product": "nautobot", "versions": [{"version": "< 1.6.20", "status": "affected"}, {"version": ">= 2.0.0, < 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T10:49:56.643Z"}, "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.\n"}], "source": {"advisory": "GHSA-jxgr-gcj5-cqqg", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "networktocode", "product": "nautobot", "cpes": ["cpe:2.3:a:networktocode:nautobot:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.20", "versionType": "custom"}]}, {"vendor": "networktocode", "product": "nautobot", "cpes": ["cpe:2.3:a:networktocode:nautobot:2.0.0:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0.0", "status": "affected", "lessThanOrEqual": "2.2.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-02T16:56:47.104819Z", "id": "CVE-2024-32979", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T18:15:30.948Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.473Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg"}, {"name": "https://github.com/nautobot/nautobot/pull/5646", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/pull/5646"}, {"name": "https://github.com/nautobot/nautobot/pull/5647", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/pull/5647"}, {"name": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nautobot/nautobot/pull/5646", "name": "https://github.com/nautobot/nautobot/pull/5646", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/nautobot/nautobot/pull/5647", "name": "https://github.com/nautobot/nautobot/pull/5647", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "name": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.473Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T16:56:47.104819Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:networktocode:nautobot:-:*:*:*:*:*:*:*"], "vendor": "networktocode", "product": "nautobot", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.20", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:networktocode:nautobot:2.0.0:-:*:*:*:*:*:*"], "vendor": "networktocode", "product": "nautobot", "versions": [{"status": "affected", "version": "2.0.0", "versionType": "custom", "lessThanOrEqual": "2.2.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T16:55:56.387Z"}}], "cna": {"title": "Reflected Cross-site Scripting potential in all object list views in Nautobot", "source": {"advisory": "GHSA-jxgr-gcj5-cqqg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nautobot", "product": "nautobot", "versions": [{"status": "affected", "version": "< 1.6.20"}, {"status": "affected", "version": ">= 2.0.0, < 2.2.3"}]}], "references": [{"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nautobot/nautobot/pull/5646", "name": "https://github.com/nautobot/nautobot/pull/5646", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nautobot/nautobot/pull/5647", "name": "https://github.com/nautobot/nautobot/pull/5647", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "name": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T10:49:56.643Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32979", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:27:53.473Z", "dateReserved": "2024-04-22T15:14:59.166Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-01T10:49:56.643Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A35DF33-E3B2-43F5-B670-3B1C4B5A8712", "versionEndExcluding": "1.6.20", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "28F056B6-EFFE-4521-8F9E-02F7BBC9E6C4", "versionEndExcluding": "2.2.3", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red creada como una aplicaci\u00f3n web sobre el framework Django Python con una base de datos PostgreSQL o MySQL. Se descubri\u00f3 que debido al manejo inadecuado y al escape de los par\u00e1metros de consulta proporcionados por el usuario, una URL de Nautobot manipulada con fines malintencionados podr\u00eda usarse para ejecutar un ataque de Cross-Site Scripting Reflejado (Reflected XSS) contra los usuarios. Todas las vistas de lista de objetos filtrables en Nautobot son vulnerables. Este problema se solucion\u00f3 en las versiones 1.6.20 y 2.2.3 de Nautobot. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-32979", "lastModified": "2025-08-26T18:54:06.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-01T11:15:47.407", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5646"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5647"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5646"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5647"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}