CVE-2024-23345: 
Python vulnerability analysis and mitigation

CVE-2024-23345 affects Nautobot, a Network Source of Truth and Network Automation Platform, versions earlier than 1.6.10 or 2.1.2. The vulnerability is a cross-site scripting (XSS) issue that exists due to inadequate input sanitization in user-editable fields that support Markdown rendering, including comments, descriptions, notes, and job log entries. The vulnerability was discovered in January 2024 and has been assigned a CVSS v3.1 base score of 7.1 (High) (GitHub Advisory).

The vulnerability stems from insufficient sanitization of user input in fields that support Markdown rendering. Any user-editable fields that support Markdown rendering are potentially susceptible to XSS attacks via maliciously crafted data. The affected components include various fields like Circuit.comments, CustomField.description, Device.comments, Job.description, JobLogEntry.message, and several others. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L, indicating network attack vector, high attack complexity, low privileges required, and user interaction required (NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks through maliciously crafted data in Markdown-rendered fields. This affects data confidentiality (Low), integrity (High), and availability (Low). The scope is changed, meaning the vulnerable component can impact resources beyond its security scope (GitHub Advisory).

The vulnerability has been fixed in Nautobot versions 1.6.10 and 2.1.2. Users should upgrade to these patched versions to mitigate the risk. The fix includes implementing the nh3 HTML sanitization library to provide more robust defense against potential XSS and obfuscated script-injection attacks (GitHub PR).