7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23345

CVE-2024-23345: XSS potential in rendered Markdown fields (comments, description, notes, etc.)

Impact

All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.

Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:

Circuit.comments
Cluster.comments
CustomField.description
Device.comments
DeviceRedundancyGroup.comments
DeviceType.comments
Job.description
JobLogEntry.message
Location.comments
Note.note
PowerFeed.comments
Provider.noc_contact
Provider.admin_contact
Provider.comments
ProviderNetwork.comments
Rack.comments
Tenant.comments
VirtualMachine.comments
Contents of any custom fields of type markdown
Job class description attributes
The SUPPORT_MESSAGE system configuration setting

are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.

Patches

Fixed in Nautobot versions 1.6.10 and 2.1.2.

References

https://github.com/nautobot/nautobot/pull/5133 https://github.com/nautobot/nautobot/pull/5134

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-23345

CVE-2024-23345:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nautobot	pip	>= 2.0.0, < 2.1.2	2.1.2
nautobot	pip	< 1.6.10	1.6.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the Markdown rendering pipeline. The key function render_markdown() in both current (core/) and legacy (utilities/) paths used Django's strip_tags and a regex-based link sanitizer, which failed to properly neutralize XSS vectors. The fix replaced this with nh3-based HTML sanitization. The commit diffs show these functions were modified to add proper sanitization, confirming they were the vulnerable points. The CVE description explicitly mentions inadequate input sanitization in Markdown-rendered fields, which maps directly to these rendering functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-23345: XSS potential in rendered Markdown fields (comments, description, notes, etc.)

Impact

Patches

References

CVE-2024-23345:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.1

7.1

CVE-2024-23345: XSS potential in rendered Markdown fields (comments, description, notes, etc.)

Impact

Patches

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI