CVE-2016-9757

Name of the Vulnerable Software and Affected Versions Rapid7 Nexpose version 6.4.12

Description The issue allows any authenticated user with the capability to create tags to inject cross-site scripting (XSS) elements in the tag name field on the Create Tags page. When this tag is viewed in the Tag Detail page by another authenticated user, the script is executed in that user's browser context.

Recommendations For Rapid7 Nexpose version 6.4.12, consider restricting access to the tag creation feature to minimize the risk of exploitation until a fix is available. As a temporary workaround, avoid using the tag name field for any input that could be interpreted as script code.