← Back

CVE-2020-7354

nvd nist
Published: Jun 25, 2020Modified: Nov 21, 2024

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.5
Source: NVD

Description

Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated 'notes' field of a discovered scan asset.

Affected (76)

Products: Rapid7: Metasploit
Rapid7
1 product
Metasploit
Configuration A
76 vulnerable
Vulnerable SoftwareAffected Versions
Rapid7
Metasploit
Before 4.17.1
Metasploit
Version 4.17.1
Metasploit
Version 4.17.1 20170221
Metasploit
Version 4.17.1 20170323
Metasploit
Version 4.17.1 20170405
Metasploit
Version 4.17.1 20170419
Metasploit
Version 4.17.1 20170510
Metasploit
Version 4.17.1 20170518
Metasploit
Version 4.17.1 20170530
Metasploit
Version 4.17.1 20170613
Metasploit
Version 4.17.1 20170627
Metasploit
Version 4.17.1 20170718
Metasploit
Version 4.17.1 20170731
Metasploit
Version 4.17.1 20170816
Metasploit
Version 4.17.1 20170828
Metasploit
Version 4.17.1 20170914
Metasploit
Version 4.17.1 20170926
Metasploit
Version 4.17.1 20171009
Metasploit
Version 4.17.1 20171030
Metasploit
Version 4.17.1 20171115
Metasploit
Version 4.17.1 20171129
Metasploit
Version 4.17.1 20171206
Metasploit
Version 4.17.1 20171220
Metasploit
Version 4.17.1 20180108
Metasploit
Version 4.17.1 20180124
Metasploit
Version 4.17.1 20180206
Metasploit
Version 4.17.1 20180301
Metasploit
Version 4.17.1 20180312
Metasploit
Version 4.17.1 20180327
Metasploit
Version 4.17.1 20180410
Metasploit
Version 4.17.1 20180501
Metasploit
Version 4.17.1 20180511
Metasploit
Version 4.17.1 20180526
Metasploit
Version 4.17.1 20180618
Metasploit
Version 4.17.1 20180704
Metasploit
Version 4.17.1 20180716
Metasploit
Version 4.17.1 20180727
Metasploit
Version 4.17.1 20180813
Metasploit
Version 4.17.1 20180827
Metasploit
Version 4.17.1 20180907
Metasploit
Version 4.17.1 20180924
Metasploit
Version 4.17.1 20181009
Metasploit
Version 4.17.1 20181022
Metasploit
Version 4.17.1 20181105
Metasploit
Version 4.17.1 20181130
Metasploit
Version 4.17.1 20181215
Metasploit
Version 4.17.1 20190108
Metasploit
Version 4.17.1 20190118
Metasploit
Version 4.17.1 20190201
Metasploit
Version 4.17.1 20190219
Metasploit
Version 4.17.1 20190303
Metasploit
Version 4.17.1 20190319
Metasploit
Version 4.17.1 20190331
Metasploit
Version 4.17.1 20190416
Metasploit
Version 4.17.1 20190426
Metasploit
Version 4.17.1 20190513
Metasploit
Version 4.17.1 20190603
Metasploit
Version 4.17.1 20190607
Metasploit
Version 4.17.1 20190626
Metasploit
Version 4.17.1 20190722
Metasploit
Version 4.17.1 20190805
Metasploit
Version 4.17.1 20190819
Metasploit
Version 4.17.1 20190910
Metasploit
Version 4.17.1 20190930
Metasploit
Version 4.17.1 20191014
Metasploit
Version 4.17.1 20191030
Metasploit
Version 4.17.1 20191108
Metasploit
Version 4.17.1 20191209
Metasploit
Version 4.17.1 20200113
Metasploit
Version 4.17.1 20200122
Metasploit
Version 4.17.1 20200131
Metasploit
Version 4.17.1 20200218
Metasploit
Version 4.17.1 20200302
Metasploit
Version 4.17.1 20200318
Metasploit
Version 4.17.1 20200330
Metasploit
Version 4.17.1 20200413

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

Source: cve@rapid7.com
ExploitThird Party Advisory
Source: cve@rapid7.com
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory

Timeline

No history available yet.