Cross-Site Scripting Vulnerability in Rapid7 Nexpose User Interface
CVE-2016-9757

5.4MEDIUM

Key Information:

Vendor: Rapid7
Status: Nexpose
Vendor: CVE Published:; 20 December 2016

What is CVE-2016-9757?

In the Rapid7 Nexpose version 6.4.12 user interface, an XSS vulnerability exists in the Create Tags page. Any authenticated user authorized to create tags can inject malicious scripts into the tag name field. When another authenticated user views this tag on the Tag Detail page, the injected script executes in their browser context, potentially leading to unauthorized actions or data exposure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Nexpose 6.4.12

References

https://help.rapid7.com/nexpose/en-us/release-notes/#6.4.13

x_refsource_CONFIRM

http://www.securityfocus.com/bid/94996

vdb-entryx_refsource_BID

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2016
Vulnerability Reserved
Dec 2, 2016

JSON

Rapid7