NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments.
NetBox versions up to 2.6.2 are vulnerable to a Cross-Site Scripting (XSS) attack, allowing a malicious authenticated user to inject arbitrary JavaScript code into the application. This vulnerability, exploitable through GFM-rendered fields like comments, could lead to account compromise and data exfiltration for administrative users. Successful exploitation grants attackers control over the victim's browser session.
Step 1: Authentication: The attacker must first have valid credentials to log into the NetBox application.
Step 2: Payload Injection: The attacker crafts a malicious JavaScript payload (e.g., <script>alert('XSS')</script> or more sophisticated code) and inserts it into a GFM-rendered field, such as the 'comments' field when adding a new site via /dcim/sites/add/.
Step 3: Data Storage: The malicious payload is stored within the NetBox database along with the other site information.
Step 4: Administrator Interaction: An administrator, logged into NetBox, views the site details, including the attacker-injected comment. The application renders the comment using the GFM renderer.
Step 5: Payload Execution: The GFM renderer processes the comment, and because the input is not properly sanitized, the malicious JavaScript payload executes within the administrator's browser.
Step 6: Exploitation: The attacker's JavaScript payload can now perform actions within the administrator's browser, such as stealing session cookies, redirecting the user to a phishing site, or modifying data within NetBox.
The vulnerability stems from a failure to properly sanitize user-supplied input before rendering it within the application's interface. Specifically, the NetBox application uses a GFM (GitHub Flavored Markdown) renderer for fields like comments, but it does not adequately filter or escape HTML or JavaScript code embedded within the Markdown. This allows an attacker to inject malicious JavaScript payloads within these fields. When an administrator views the comment, the injected JavaScript executes in their browser, enabling the attacker to steal session cookies, redirect the user, or perform other malicious actions. The root cause is a lack of input validation and output encoding for user-provided data rendered within the context of HTML. The GFM renderer, while intended for formatting, is being misused without proper security considerations. This is a classic example of a stored XSS vulnerability.