Netbox | CVE-2024-23780

A high-severity security vulnerability, CVE-2024-23780, has been identified in NetBox version 3.7.0, allowing an attacker to change a user’s password without requiring knowledge of the old password. This authentication bypass poses a significant risk, potentially leading to unauthorized access, account takeover, and compromise of sensitive information. The vulnerability arises from a lack of validation checks during the password change process in NetBox version 3.7.0. An attacker can exploit this weakness to change a user’s password without providing the old password, undermining the authentication mechanism and allowing for unauthorized access. The steps to reproduce the vulnerability include logging in to NetBox as an attacker, navigating to the password change functionality, changing the password for a target user account without providing the old password, verifying the successful password change, and logging in to the target user account using the new password. This remote attack vector could be exploited with an active session or by escalating XSS to steal the CSRF token.

The vulnerability was discovered by Hazard Lab.