{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-flows/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["netbox-data-flows (\u003c= 1.5.0)"],"_cs_severities":["high"],"_cs_tags":["xss","netbox","data-flows","stored-xss"],"_cs_type":"advisory","_cs_vendors":["netbox"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetbox-data-flows\u003c/code\u003e plugin for NetBox is susceptible to a stored cross-site scripting (XSS) vulnerability (\u0026lt;=1.5.0). An attacker with authenticated access to create or modify \u003ccode\u003eObjectAlias\u003c/code\u003e objects can inject malicious HTML/JavaScript code into the \u003ccode\u003ename\u003c/code\u003e field of an alias. This injected code is then rendered without proper sanitization within the \u003ccode\u003eDataFlow\u003c/code\u003e table views. When another user, particularly one with elevated privileges, views a \u003ccode\u003eDataFlow\u003c/code\u003e that includes the malicious alias, the injected script executes within their browser session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim user, and the potential exfiltration of sensitive data from the NetBox instance. This vulnerability impacts any page rendering \u003ccode\u003eDataFlowTable\u003c/code\u003e, including the main Data Flow list page and model tabs that reuse \u003ccode\u003eDataFlowTable\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker logs into NetBox with valid credentials and permissions to create/edit \u003ccode\u003eObjectAlias\u003c/code\u003e objects.\u003c/li\u003e\n\u003cli\u003eAttacker creates a new \u003ccode\u003eObjectAlias\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003ename\u003c/code\u003e field of the \u003ccode\u003eObjectAlias\u003c/code\u003e, the attacker injects a malicious JavaScript payload such as \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker creates or edits a \u003ccode\u003eDataFlow\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker associates the malicious \u003ccode\u003eObjectAlias\u003c/code\u003e with either the \u003ccode\u003esources\u003c/code\u003e or \u003ccode\u003edestinations\u003c/code\u003e field of the \u003ccode\u003eDataFlow\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe victim user logs into NetBox and navigates to the Data Flow list page or any page rendering the \u003ccode\u003eDataFlowTable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDataFlowTable\u003c/code\u003e attempts to render the \u003ccode\u003esources\u003c/code\u003e or \u003ccode\u003edestinations\u003c/code\u003e which contains the malicious \u003ccode\u003eObjectAlias\u003c/code\u003e. The \u003ccode\u003eobject_list_to_string()\u003c/code\u003e function in \u003ccode\u003enetbox_data_flows/utils/helpers.py\u003c/code\u003e generates HTML using the unescaped \u003ccode\u003eObjectAlias.name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript within the \u003ccode\u003eObjectAlias.name\u003c/code\u003e executes in the victim\u0026rsquo;s browser, potentially leading to session theft or unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis stored XSS vulnerability in \u003ccode\u003enetbox-data-flows\u003c/code\u003e can affect any authenticated NetBox user who views a page rendering the affected \u003ccode\u003eDataFlow\u003c/code\u003e table. The impact is amplified when higher-privileged users are targeted. Successful exploitation allows an attacker to steal user sessions, perform privileged actions on behalf of the victim, and exfiltrate sensitive data accessible within NetBox. The vulnerability affects versions 1.5.0 and earlier of the \u003ccode\u003enetbox-data-flows\u003c/code\u003e plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003enetbox-data-flows\u003c/code\u003e plugin to a version greater than 1.5.0 to remediate the vulnerability (Affected Packages).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect netbox-data-flows XSS Payload in ObjectAlias Name\u0026rdquo; to detect attempts to create \u003ccode\u003eObjectAlias\u003c/code\u003e objects with malicious payloads in the \u003ccode\u003ename\u003c/code\u003e field (rules).\u003c/li\u003e\n\u003cli\u003eMonitor NetBox logs for suspicious activity related to \u003ccode\u003eObjectAlias\u003c/code\u003e creation and modification (logsource).\u003c/li\u003e\n\u003cli\u003eReview existing \u003ccode\u003eObjectAlias\u003c/code\u003e objects for any potentially malicious code in the \u003ccode\u003ename\u003c/code\u003e field (ObjectAlias.name).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-netbox-data-flows-xss/","summary":"The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.","title":"netbox-data-flows Stored XSS Vulnerability in ObjectAlias Names","url":"https://feed.craftedsignal.io/briefs/2024-07-netbox-data-flows-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Data-Flows","version":"https://jsonfeed.org/version/1.1"}