June 7, 2023

Rapid7 security released the fix of a critical SQL injection vulnerability in Nexpose, a popular local vulnerabilities management software. The flaw was tracked as CVE-2022-0757 and received a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

Attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the Search Criteria.

Advertisements

This issue affects all versions of Nexpose alternately known as Security Console up to and including 6.6.128. The latest version also includes support for TLS 1.3 services, an added vulnerability checks for Log4j, and additional Metasploit-based vulnerability coverage.

The Nexpose vulnerability scanner also contained a medium severity cross-site scripting (XSS) flaw.

Residing in the shared scan configuration, the reflected XSS bug enables an attacker to “pass literal values as the test credentials, providing the opportunity for a potential XSS attack”, reads the description of CVE-2022-0758.

The CVSS-6.1 rated bug impacts versions 6.6.129 and earlier and was fixed in Security Console version 6.6.130, released on March 9.

Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: