PT-2016-7817 · Rapid7 · Rapid7 Nexpose

Published

2016-12-20

Updated

2016-12-27

CVE-2016-9757

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Rapid7 Nexpose version 6.4.12

Description The issue allows any authenticated user with the capability to create tags to inject cross-site scripting (XSS) elements in the tag name field on the Create Tags page. When this tag is viewed in the Tag Detail page by another authenticated user, the script is executed in that user's browser context.

Recommendations For Rapid7 Nexpose version 6.4.12, consider restricting access to the tag creation feature to minimize the risk of exploitation until a fix is available. As a temporary workaround, avoid using the tag name field for any input that could be interpreted as script code.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2016-9757

Affected Products

Rapid7 Nexpose

PT-2016-7817 · Rapid7 · Rapid7 Nexpose

CVE-2016-9757

Weakness Enumeration

Related Identifiers

Affected Products

References · 4