CVE-2016-9757: XSS
First published: Tue Dec 20 2016(Updated: )
In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context.
Credit: cve@rapid7.con
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rapid7 Nexpose | =6.4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-9757?
CVE-2016-9757 has a medium severity rating due to its potential for cross-site scripting attacks.
How do I fix CVE-2016-9757?
To fix CVE-2016-9757, upgrade to Rapid7 Nexpose version 6.4.13 or later.
Who is affected by CVE-2016-9757?
CVE-2016-9757 affects authenticated users of Rapid7 Nexpose version 6.4.12 who can create tags.
What kind of attack does CVE-2016-9757 enable?
CVE-2016-9757 enables cross-site scripting (XSS) attacks through the Tag Name field.
What is the impact of CVE-2016-9757?
The impact of CVE-2016-9757 allows attackers to execute malicious scripts in the context of users viewing the tag.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/rapid7
- canonical/rapid7 nexpose
- version/rapid7 nexpose/6.4.12