September 23, 2023

Rapid7 security released the fix of a critical SQL injection vulnerability in Nexpose, a popular local vulnerabilities management software. The flaw was tracked as CVE-2022-0757 and received a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

Attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the Search Criteria.

Advertisements

This issue affects all versions of Nexpose alternately known as Security Console up to and including 6.6.128. The latest version also includes support for TLS 1.3 services, an added vulnerability checks for Log4j, and additional Metasploit-based vulnerability coverage.

The Nexpose vulnerability scanner also contained a medium severity cross-site scripting (XSS) flaw.

Residing in the shared scan configuration, the reflected XSS bug enables an attacker to “pass literal values as the test credentials, providing the opportunity for a potential XSS attack”, reads the description of CVE-2022-0758.

The CVSS-6.1 rated bug impacts versions 6.6.129 and earlier and was fixed in Security Console version 6.6.130, released on March 9.

Tags:

Leave a Reply

You may have missed

SandMan APT Group in action against Telcos

September 22, 2023

Gold Melody IAB Unsunging for Several Years

September 22, 2023

Apple fixes trio of Zeroday Exploits

September 22, 2023

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023
%d bloggers like this: