// For flags

CVE-2021-3535

 

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. This issue affects version 6.6.80 and prior, and is fixed in 6.6.81. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version.

Rapid7 Nexpose es suceptible a una vulnerabilidad de tipo cross-site scripting no persistente que afecta a la funcionalidad Filtered Asset Search de Security Console. Un criterio de búsqueda específico y una combinación de operadores en la búsqueda de activos filtrados podrían haber permitido a un usuario pasar código mediante el campo de búsqueda proporcionado. Este problema afecta a la versión 6.6.80 y anteriores, y se ha corregido en la versión 6.6.81. Si su Security Console se encuentra actualmente dentro de este rango de versiones afectadas, asegúrese de actualizar su Security Console a la última versión

*Credits: This issue was discovered and reported by Philipp Behmer.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-05 CVE Reserved
  • 2021-06-16 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rapid7
Search vendor "Rapid7"
Nexpose
Search vendor "Rapid7" for product "Nexpose"
< 6.6.81
Search vendor "Rapid7" for product "Nexpose" and version " < 6.6.81"
-
Affected