Lucene search

CVE-2018-5306

🗓️ 09 Feb 2018 22:01:29Reported by mitreType

cve🔗 web.nvd.nist.gov👁 29 Views🌐 WEB

Multiple XSS vulnerabilities in Sonatype Nexus Repository Manager (NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML

Reporter	Title	Published	Views	Family All 7
Veracode	Cross-Site Scripting (XSS)	12 Mar 201902:07	–	veracode
Prion	Cross site scripting	9 Feb 201822:29	–	prion
NVD	CVE-2018-5306	9 Feb 201822:29	–	nvd
Cvelist	CVE-2018-5306	9 Feb 201822:00	–	cvelist
OSV	CVE-2018-5306	9 Feb 201822:29	–	osv
Packet Storm	Sonatype Nexus Repository Manager OSS/Pro 2.14.5 / 3.7.1 XSS	8 Feb 201800:00	–	packetstorm
0day.today	Sonatype Nexus Repository Manager OSS/Pro Multiple Cross-Site Scripting Vulnerabilities	9 Feb 201800:00	–	zdt

Nvd

Node

sonatype nexus_repository_managerRange3.0–3.8

Source	Link
sec-consult	www.sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-vulnerabilities-in-sonatype-nexus-repository-manager-oss-pro/index.html
seclists	www.seclists.org/fulldisclosure/2018/Feb/23
support	www.support.sonatype.com/hc/en-us/articles/360000134968

Parameter	Position	Path	Description	CWE
repoId	query param	/nexus/service/siesta/healthcheck/healthCheckFileDetail/.../index.html	Reflected XSS vulnerability allowing remote attackers to execute arbitrary JavaScript code.	CWE-79
format	query param	/nexus/service/siesta/healthcheck/healthCheckFileDetail/.../index.html	Reflected XSS vulnerability allowing remote attackers to execute arbitrary JavaScript code.	CWE-79
filename	binary	/nexus/static/icons/glyph_help.png	Stored XSS vulnerability via file upload with a malicious JavaScript payload in the filename.	CWE-79
username	nested	/nexus/static/icons/glyph_help.png	Stored XSS vulnerability allowing injection of JavaScript/HTML code in the username field.	CWE-79
IQ Server URL	nested	/nexus/static/icons/glyph_help.png	Stored XSS vulnerability allowing permanent injection of JavaScript code into the IQ Server Dashboard.	CWE-79

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

09 Feb 2018 22:29Current

6Medium risk

Vulners AI Score6

CVSS24.3

CVSS36.1

EPSS0.0022

CWE-79