CVE-2016-9757

MEDIUM

Rapid7 Nexpose - XSS

Title source: rule

Description

In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context.

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94996

[Vendor Advisory] https://help.rapid7.com/nexpose/en-us/release-notes/#6.4.13

Scores

CVSS v3 5.4

EPSS 0.0022

EPSS Percentile 44.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

rapid7/nexpose

Rapid7/Nexpose < 6.4.12

Timeline

Published Dec 20, 2016

Tracked Since Feb 18, 2026