CVE-2021-37152: 
Sonatype Nexus 3 vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Sonatype Nexus Repository Manager 3 versions prior to 3.33.0. The vulnerability was disclosed on August 5, 2021, and assigned identifier CVE-2021-37152. The issue affects all versions of Nexus Repository 3 up to and including version 3.32.0 (Vendor Advisory).

The vulnerability allows an authenticated attacker with the ability to add HTML files to a repository to execute arbitrary JavaScript within the context of the application. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited, the vulnerability allows injected JavaScript to forge requests on behalf of the user, redirect users to other sites, or modify page content. This can lead to the compromise of confidentiality and integrity of data when users view malicious entities (Vendor Advisory).

The vulnerability has been fixed in Nexus Repository OSS/Pro version 3.33.0. The fix includes adding a repository configuration option to force downloading HTML files instead of rendering them in the browser. Sonatype strongly recommends upgrading all affected instances to version 3.33.0 or later (Vendor Advisory).