Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dont show token value on proxbox plugin page #162

Closed
ITJamie opened this issue Dec 11, 2023 · 2 comments
Closed

dont show token value on proxbox plugin page #162

ITJamie opened this issue Dec 11, 2023 · 2 comments
Assignees
@emersonfelipesp
Labels
accepted This issue has been accepted for implementation duplicate This issue or pull request already exists

Comments

@ITJamie
Copy link

ITJamie commented Dec 11, 2023

when visiting the proxbox plugin page: eg demo.netbox.dev/plugins/proxbox/ the user token is displayed in full. this should be considered a secret and not shown in the gui
@q3k
Copy link
Contributor

q3k commented Apr 11, 2024

This was caught during an infrastructure audit at an organization I'm active at, and would have allowed root access to all VMs (via the VM.Monitor permission).

Even worse, default NetBox installations seem to show the plugins page / details even to logged out users...

q3k added a commit to q3k/netbox-proxbox that referenced this issue Apr 11, 2024
@q3k
Hide sensitive data in web view
0826685 
Solves netdevopsbr#162
@q3k q3k mentioned this issue Apr 11, 2024
Merged
@emersonfelipesp emersonfelipesp self-assigned this Oct 24, 2024
@emersonfelipesp emersonfelipesp added duplicate This issue or pull request already exists accepted This issue has been accepted for implementation labels Oct 24, 2024
@emersonfelipesp
Copy link
Member

Pull Request #171 solves it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emersonfelipesp emersonfelipesp

Labels
accepted This issue has been accepted for implementation duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@q3k @ITJamie @emersonfelipesp