Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Networktocode
Networktocode nautobot
CPEs cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
Vendors & Products Networktocode
Networktocode nautobot

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-02T02:59:22.584Z

Reserved: 2024-05-07T13:53:00.133Z

Link: CVE-2024-34707

cve-icon Vulnrichment

Updated: 2024-08-02T02:59:22.584Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-14T15:39:30.633

Modified: 2025-08-26T16:16:00.280

Link: CVE-2024-34707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.