PT-2020-19569 · Rapid7 · Metasploit Pro

Published

2020-06-25

Updated

2020-07-06

CVE-2020-7355

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Rapid7 Metasploit Pro versions prior to 4.17.1-20200514

Description A Cross-site Scripting (XSS) issue exists in the 'notes' field of a discovered scan asset, allowing an attacker to store an XSS sequence in the Metasploit Pro console. This sequence will trigger when the operator views the record of the scanned host in the Metasploit Pro interface.

Recommendations For versions prior to 4.17.1-20200514, update to Metasploit Pro version 4.17.1-20200514 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'notes' field of discovered scan assets to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-7355

Affected Products

Metasploit Pro

PT-2020-19569 · Rapid7 · Metasploit Pro

CVE-2020-7355

Weakness Enumeration

Related Identifiers

Affected Products

References · 6