Cross-Site Scripting Vulnerability in Rapid7 Nexpose User Interface
CVE-2016-9757

5.4MEDIUM

Key Information:

Vendor: Rapid7
Status: Nexpose
Vendor: CVE Published:; 20 December 2016

What is CVE-2016-9757?

In the Rapid7 Nexpose version 6.4.12 user interface, an XSS vulnerability exists in the Create Tags page. Any authenticated user authorized to create tags can inject malicious scripts into the tag name field. When another authenticated user views this tag on the Tag Detail page, the injected script executes in their browser context, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Nexpose 6.4.12

References

https://help.rapid7.com/nexpose/en-us/release-notes/#6.4.13

x_refsource_CONFIRM

http://www.securityfocus.com/bid/94996

vdb-entryx_refsource_BID

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2016
Vulnerability Reserved
Dec 2, 2016