NetBox Cross-Site Scripting Vulnerability in Comment Fields

A cross-site scripting vulnerability has been identified in NetBox version 4.3.5. The issue arises in the 'comment' fields of various object forms, where user-supplied HTML is not properly sanitized. This allows attackers to inject arbitrary HTML that is rendered in the web interface for other users. While the injected HTML does not execute JavaScript directly, it could be used to manipulate the user interface or, in some cases, escalate to a more severe cross-site scripting attack.

Impact

Exploitation of this vulnerability allows for arbitrary HTML injection, which could be used to manipulate the user interface or create phishing-style redirections. The vulnerability could be exploited without authentication, depending on the access controls of the NetBox deployment.

Reproduction

To reproduce this vulnerability, inject malicious HTML into the 'comment' field of any NetBox object, such as a device or IP address. Example payloads include links, bold text, or marquee tags. When the object is viewed by another user, the injected HTML will be rendered in the browser.