DOM-based XSS vulnerability in search export link

[jnovinger]

Deployment Type

Self-hosted

NetBox Version

v4.3.5

Python Version

3.10

Steps to Reproduce

1. Navigate to a NetBox list view with search and export functionality

   • Go to /dcim/devices/ or any other object list view
   • Ensure you can see both the search box and "Export" button/link

2. Enter a malicious search query containing URL-breaking characters

   • In the search box, enter: test&malicious=injected<script>alert('xss')</script>
   • Press Enter or click search

3. Inspect the Export link

   • Right-click on the "Export Current View" link
   • Select "Inspect Element" or "Copy Link Address"
   • Observe the href attribute contains unencoded malicious input

4. Verify the vulnerability

   • The href should contain: ...&q=test&malicious=injected<script>alert('xss')</script>
   • Notice the search parameter is not URL-encoded
   • The &malicious=injected creates an additional URL parameter
   • The <script> tags are present in raw form

5. Confirm exploitation potential

   • Copy the malicious export URL
   • Paste into browser address bar
   • Depending on how the export endpoint processes the URL, the XSS payload could execute

Expected Behavior

User input in search parameters should be properly URL-encoded before being added to export links to prevent XSS vulnerabilities.

Observed Behavior

Raw user input is concatenated directly into the export link URL without encoding.

[jeremystretch]

Depending on how the export endpoint processes the URL, the XSS payload could execute

FWIW I have not been able to reproduce this as an XSS.