Lucene search

K
cveRapid7CVE-2016-9757
HistoryDec 20, 2016 - 10:59 p.m.

CVE-2016-9757

2016-12-2022:59:00
CWE-79
rapid7
web.nvd.nist.gov
21
4
rapid7
nexpose
v6.4.12
xss
cross-site scripting
tag creation
information security
cve-2016-9757

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.6%

In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user’s browser context.

Affected configurations

Nvd
Node
rapid7nexposeMatch6.4.12
VendorProductVersionCPE
rapid7nexpose6.4.12cpe:/a:rapid7:nexpose:6.4.12:::

CNA Affected

[
  {
    "product": "Nexpose",
    "vendor": "Rapid7",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.12"
      }
    ]
  }
]

Social References

More

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.6%

Related for CVE-2016-9757