Listen to this Post
An authenticated user who can create or edit `ObjectAlias` objects can store arbitrary HTML/JavaScript in an alias name. The unsafe rendering occurs when that alias is later displayed in a `DataFlow` table.
How the vulnerability works (technical flow):
1. User-controlled input
`ObjectAlias.name` is a plain `CharField` with no automatic escaping.
The `__str__()` method of `ObjectAlias` returns `self.name` directly.
2. Table column rendering
`DataFlowTable.sources` and `DataFlowTable.destinations` use `ObjectAliasListColumn`.
That column’s `render()` method calls `object_list_to_string(value.all(), linkify=True)`.
3. Unsafe HTML construction
Inside `object_list_to_string()`, the code builds raw anchor tags:
mark_safe(separator.join(f'<a href="{o.get_absolute_url()}">{o}</a>' for o in objects))
– `{o}` is inserted without escaping.
– Because `__str__()` returns the raw user input (HTML/JavaScript), the unescaped payload is embedded into the anchor tag.
4. Marking as “safe”
The entire string is passed through mark_safe(), instructing Django to bypass its auto‑escaping mechanism.
5. Trigger
Any page that renders a `DataFlowTable` – such as the main Data Flow list page or model tabs – will execute the stored payload in the browser of any victim who views that page.
dailycve form
Platform: NetBox + plugin Version: netbox-data-flows ≤1.5.0 Vulnerability: Stored XSS Severity: High date: 2026-05-07 Prediction: Patch released 2026-05-07 (v1.5.1)
What Undercode Say:
Analytics
The vulnerability arises from a classic “double‑escape failure” in a custom table renderer. The plugin uses `mark_safe()` to output HTML links, but the alias text itself is not escaped before being placed inside the anchor. This bypasses Django’s default auto‑escaping and creates a direct injection path.
Bash commands & codes (verification / reproduction):
Install the vulnerable plugin version
pip install netbox-data-flows==1.5.0
Restart NetBox after plugin installation
sudo systemctl restart netbox
Use NetBox shell to create a malicious alias
python /opt/netbox/netbox/manage.py shell
<blockquote>
<blockquote>
<blockquote>
from netbox_data_flows.models import ObjectAlias
alias = ObjectAlias(name='<img src=x onerror=alert(document.domain)>')
alias.save()
Exploit:
- Authenticate as a user with permission to create `ObjectAlias` and
DataFlow.
2. Create `ObjectAlias` with payload: `
`.
- Associate that alias with a `DataFlow` as a source or destination.
- Any other authenticated user who views the Data Flow list page will see the alert box.
Protection from this CVE:
- Upgrade to netbox-data-flows v1.5.1 or later.
- If immediate upgrade is not possible, implement a regex validator on `ObjectAlias.name` to reject HTML/JS‑like patterns (see example in the plugin’s README).
- Avoid using `mark_safe()` on user‑controlled strings unless explicitly escaped beforehand.
Impact:
- Session theft – The attacker can steal the victim’s session cookie.
- Privileged action execution – The malicious script can perform any action the victim is authorized to do.
- Data exfiltration – Sensitive information visible to the victim can be sent to the attacker.
- Low‑privilege user → high‑impact attack – An attacker with minimal permissions can target higher‑privileged users, amplifying the damage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
