Non-persistent Cross-Site Scripting Vulnerability in Rapid7 Nexpose Security Console
CVE-2021-3535

4.3MEDIUM

Key Information:

Vendor: Rapid7
Status: Rapid7 Nexpose
Vendor: CVE Published:; 6 May 2021

What is CVE-2021-3535?

Rapid7 Nexpose features a non-persistent cross-site scripting vulnerability within its Security Console's Filtered Asset Search functionality. This vulnerability allows a user to input specific criteria into the search field, which could then execute arbitrary code. This security flaw affects all versions of Nexpose up to and including 6.6.80, and it is crucial for users to upgrade to version 6.6.81 or later to mitigate this risk.

Affected Version(s)

Rapid7 Nexpose < 6.6.81

References

https://docs.rapid7.com/release-notes/nexpose/20210505/

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2021
Vulnerability Reserved
May 5, 2021

Credit

This issue was discovered and reported by Philipp Behmer.