Upgrade phpoffice/phpspreadsheet to version 1.29.7, 2.1.6, 2.3.5, 3.7.0 or higher.

nautobot 1.6.14 vulnerabilities

Known vulnerabilities in the nautobot package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Improper Authorization nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Improper Authorization through the `extras.view_dynamicgroup` permission and the Dynamic Group detail UI view or the members REST API view. An attacker can view objects that are members of a given Dynamic Group without the required `dcim.view_device` permissions. How to fix Improper Authorization? Upgrade `nautobot` to version 1.6.23, 2.2.5 or higher.	[1.3.0,1.6.23)[2.0.0,2.2.5)
H Cross-site Scripting (XSS) nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings. An attacker can manipulate web content and execute scripts in the context of the user's browser by injecting arbitrary HTML content into these settings. How to fix Cross-site Scripting (XSS)? Upgrade `nautobot` to version 1.6.22, 2.2.4 or higher.	[,1.6.22)[2.0.0,2.2.4)
M Cross-site Scripting (XSS) nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling and escaping of user-provided query parameters. All filterable object-list views are vulnerable. How to fix Cross-site Scripting (XSS)? Upgrade `nautobot` to version 1.6.20, 2.2.3 or higher.	[1.5.0,1.6.20)[2.0.0,2.2.3)
L Information Exposure nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Information Exposure due to improper access control on several URL endpoints. An attacker can access sensitive information without authentication by exploiting endpoints that are improperly accessible to unauthenticated users. This includes endpoints that may disclose information about the system's authentication backend classes, supported secrets providers, and potentially sensitive logs associated with specific JobResults. Note: This is only exploitable if the Nautobot configuration variable `EXEMPT_VIEW_PERMISSIONS` is altered from its default value to permit access to specific data by unauthenticated users. How to fix Information Exposure? Upgrade `nautobot` to version 1.6.16, 2.1.9 or higher.	[,1.6.16)[2.0.0,2.1.9)

Vulnerability

Vulnerable Version

Improper Authorization

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Improper Authorization through the extras.view_dynamicgroup permission and the Dynamic Group detail UI view or the members REST API view. An attacker can view objects that are members of a given Dynamic Group without the required dcim.view_device permissions.

How to fix Improper Authorization?

Upgrade nautobot to version 1.6.23, 2.2.5 or higher.

[1.3.0,1.6.23)[2.0.0,2.2.5)

Cross-site Scripting (XSS)

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN configuration settings. An attacker can manipulate web content and execute scripts in the context of the user's browser by injecting arbitrary HTML content into these settings.

How to fix Cross-site Scripting (XSS)?

Upgrade nautobot to version 1.6.22, 2.2.4 or higher.

[,1.6.22)[2.0.0,2.2.4)

Cross-site Scripting (XSS)

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling and escaping of user-provided query parameters. All filterable object-list views are vulnerable.

How to fix Cross-site Scripting (XSS)?

Upgrade nautobot to version 1.6.20, 2.2.3 or higher.

[1.5.0,1.6.20)[2.0.0,2.2.3)

Information Exposure

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Information Exposure due to improper access control on several URL endpoints. An attacker can access sensitive information without authentication by exploiting endpoints that are improperly accessible to unauthenticated users. This includes endpoints that may disclose information about the system's authentication backend classes, supported secrets providers, and potentially sensitive logs associated with specific JobResults.

Note:

This is only exploitable if the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is altered from its default value to permit access to specific data by unauthenticated users.

How to fix Information Exposure?

Upgrade nautobot to version 1.6.16, 2.1.9 or higher.

[,1.6.16)[2.0.0,2.1.9)

nautobot@1.6.14 vulnerabilities

Source of truth and network automation platform.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?