Michael Caruso

**Name of the Vulnerable Software and Affected Versions** Rapid7 Metasploit Pro versions 4.21.2 and lower **Description** The issue is due to a lack of JavaScript request string sanitization, allowing an authenticated attacker to execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. In most deployments, Metasploit Pro users have privileges equivalent to local administrator. **Recommendations** For versions 4.21.2 and lower, consider disabling JavaScript request string processing until a patch is available to prevent exploitation of the stored cross-site scripting vulnerability. Restrict access to the vulnerable Metasploit Pro functionality to minimize the risk of exploitation. Avoid using specially crafted requests in the affected Metasploit Pro environment until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.