Vulnerability Name: | CVE-2016-9757 (CCN-119927) | ||||||||||||
Assigned: | 2016-10-12 | ||||||||||||
Published: | 2016-10-12 | ||||||||||||
Updated: | 2016-12-27 | ||||||||||||
Summary: | In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context. | ||||||||||||
CVSS v3 Severity: | 5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
| ||||||||||||
Vulnerability Type: | CWE-79 | ||||||||||||
Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2016-9757 Source: BID Type: Third Party Advisory, VDB Entry 94996 Source: CCN Type: BID-94996 Rapid7 Nexpose CVE-2016-9757 Cross Site Scripting Vulnerability Source: XF Type: UNKNOWN rapid7-nexpose-cve20169757-xss(119927) Source: CCN Type: Rapid7 Web site Nexpose Recent Releases Source: CONFIRM Type: Vendor Advisory https://help.rapid7.com/nexpose/en-us/release-notes/#6.4.13 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
Oval Definitions | |||||||||||||
| |||||||||||||
BACK |