PT-2018-16883 · Sonatype · Nexus Repository Manager

Daniel Ostovary

Publicado

2018-02-09

Atualizado

2018-02-27

CVE-2018-5306

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository Manager versions 3.x before 3.8

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters and fields, including:

the repoId or format parameter to the "service/siesta/healthcheck/healthCheckFileDetail/.../index.html" endpoint,
the filename in the "File Upload" functionality of the Staging Upload,
the username when creating a new user,
the IQ Server URL field in the IQ Server Connection functionality.

Recommendations For versions 3.x before 3.8, update to version 3.8 or later to resolve the issue.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2018-5306

Produtos afetados

Nexus Repository Manager

PT-2018-16883 · Sonatype · Nexus Repository Manager

CVE-2018-5306

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5