CVE-2018-5307

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository Manager versions prior to 2.14.6

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters and fields, including the repoId or format parameter to the "service/siesta/healthcheck/healthCheckFileDetail/.../index.html" endpoint, the filename in the "File Upload" functionality of the Staging Upload, the username when creating a new user, or the IQ Server URL field in the IQ Server Connection functionality.

Recommendations For versions prior to 2.14.6, update to version 2.14.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints and functionalities, such as limiting the ability to upload files or create new users, until a patch is applied. Avoid using the vulnerable parameters, such as repoId, format, filename, username, and IQ Server URL field, in the affected functionalities until the issue is resolved.