Platform
other
Component
rapid7-nexpose
Fixed in
6.6.130
CVE-2022-0758 describes a reflected cross-site scripting (XSS) vulnerability found in Rapid7 Nexpose. This flaw allows an attacker to inject malicious scripts into the application through the shared scan configuration feature, potentially compromising user sessions and data. The vulnerability impacts versions of Nexpose up to and including 6.6.129, and a fix is available in version 6.6.130.
Successful exploitation of CVE-2022-0758 could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to the theft of sensitive information, such as credentials or session cookies. An attacker could also potentially deface the Nexpose interface or redirect users to malicious websites. The impact is amplified if the affected Nexpose instance is used to manage vulnerabilities across a large network, as a compromised account could provide access to a wide range of systems and data.
CVE-2022-0758 was publicly disclosed on March 17, 2022. No known public exploits or active campaigns targeting this vulnerability have been reported. The CVSS score of 3.3 indicates a low probability of exploitation, but the potential impact warrants prompt remediation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.27% (50% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0758 is to upgrade Rapid7 Nexpose to version 6.6.130 or later. If an immediate upgrade is not possible, carefully review and sanitize all user-supplied input, particularly within the shared scan configuration settings. Consider implementing input validation and output encoding to prevent the injection of malicious scripts. While not a direct fix, restricting access to the shared scan configuration feature to authorized personnel can reduce the attack surface.
Actualice Rapid7 Nexpose a la versión 6.6.130 o posterior. Esta versión corrige la vulnerabilidad XSS reflejada en el componente de configuración de escaneo compartido.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0758 is a reflected XSS vulnerability in Rapid7 Nexpose versions up to 6.6.129, allowing attackers to inject malicious scripts via shared scan configurations.
You are affected if you are running Rapid7 Nexpose version 6.6.129 or earlier. Upgrade to 6.6.130 or later to mitigate the vulnerability.
Upgrade Rapid7 Nexpose to version 6.6.130 or later. As a temporary workaround, sanitize user input in shared scan configurations.
No active exploitation campaigns targeting CVE-2022-0758 have been reported at this time.
Refer to the official Rapid7 security advisory for detailed information and remediation steps: https://www.rapid7.com/blog/security/2022/03/17/nexpose-vulnerability-cve-2022-0758/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.