Rapid7 · Rapid7 Nexpose · CVE-2021-3535
Name of the Vulnerable Software and Affected Versions:
Rapid7 Nexpose versions prior to 6.6.81
Description:
The issue is a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field.
Recommendations:
For versions prior to 6.6.81, update the Security Console to the latest version, specifically 6.6.81 or later, to resolve the issue. As a temporary workaround, consider restricting the use of the Filtered Asset Search feature until a patch is applied.