The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
[
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
]