CVE-2021-3535: 
Nexpose vulnerability analysis and mitigation

Rapid7 Nexpose contains a non-persistent cross-site scripting vulnerability (CVE-2021-3535) affecting the Security Console's Filtered Asset Search feature. The vulnerability was discovered in version 6.6.80 and prior versions, and was fixed in version 6.6.81. A specific search criterion and operator combination in Filtered Asset Search could allow a user to pass code through the provided search field (Rapid7 Advisory, NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It received a CVSS v3.1 base score of 6.1 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Rapid7 assessed it with a CVSS score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

Since this is a non-persistent cross-site scripting vulnerability, only the user attempting to exploit this vulnerability would be affected. The vulnerability could allow an attacker to pass malicious code through the search field (Rapid7 Advisory).

The vulnerability was fixed in Nexpose version 6.6.81. Organizations using affected versions (6.6.80 and prior) should update their Security Console to the latest version to remediate this vulnerability (Rapid7 Advisory).

Special thanks was given to Philipp Behmer for reporting this issue to Rapid7 (Rapid7 Advisory).