{"uuid": "8f4f571b-b652-4be0-bec8-d27198d0893f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-v7qw-hx66-4w9x", "type": "seen", "source": "https://gist.github.com/alon710/02ced0e410eaef25c3c5fc6010a5eb1d", "content": "# GHSA-V7QW-HX66-4W9X: GHSA-v7qw-hx66-4w9x: Stored Cross-Site Scripting (XSS) in NetBox Data Flows Plugin\n\n> **CVSS Score:** 8.7\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-V7QW-HX66-4W9X\n\n## Summary\nA stored Cross-Site Scripting (XSS) vulnerability exists in the netbox-data-flows plugin for NetBox, affecting versions prior to 1.5.1. Authenticated attackers with permissions to modify ObjectAlias records can inject arbitrary HTML and JavaScript, which executes in the context of other users viewing DataFlow tables.\n\n## TL;DR\nThe netbox-data-flows plugin improperly escapes ObjectAlias names before rendering them in DataFlow tables. Authenticated users can inject malicious scripts into these fields, leading to stored XSS that can compromise high-privileged administrators.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79 (Cross-site Scripting)\n- **Attack Vector**: Network\n- **CVSS v3.1**: 8.7 (High)\n- **Impact**: Session Hijacking, Privilege Escalation\n- **Exploit Status**: Proof of Concept Available\n- **Authentication Requirement**: Required (Low Privileges)\n\n## Affected Systems\n\n- NetBox implementations utilizing the netbox-data-flows plugin < 1.5.1\n- **netbox-data-flows**: < 1.5.1 (Fixed in: `1.5.1`)\n\n## Mitigation\n\n- Upgrade to netbox-data-flows version 1.5.1 or higher.\n- Implement Content Security Policy (CSP) headers to restrict inline script execution.\n- Audit existing ObjectAlias records for anomalous HTML or JavaScript payloads.\n\n**Remediation Steps:**\n1. Access the NetBox server operating environment.\n2. Activate the Python virtual environment used by NetBox.\n3. Execute `pip install --upgrade netbox-data-flows>=1.5.1`.\n4. Restart the NetBox WSGI/ASGI service (e.g., `systemctl restart netbox netbox-rq`).\n5. Verify the application logs for successful plugin initialization.\n\n## References\n\n- [GitHub Advisory GHSA-v7qw-hx66-4w9x](https://github.com/Alef-Burzmali/netbox-data-flows/security/advisories/GHSA-v7qw-hx66-4w9x)\n- [Package Repository](https://github.com/Alef-Burzmali/netbox-data-flows)\n- [OSV Record](https://osv.dev/vulnerability/GHSA-v7qw-hx66-4w9x)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V7QW-HX66-4W9X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T00:10:29.000000Z"}