CVE-2022-0758: 
Nexpose vulnerability analysis and mitigation

Rapid7 Nexpose versions 6.6.129 and earlier contain a reflected cross-site scripting vulnerability in the shared scan configuration component. The vulnerability was discovered and fixed in Rapid7 Nexpose version 6.6.130, released on March 9, 2022. The vulnerability affects the test credentials functionality in Shared Scan Credential Configurations (Rapid7 Advisory, NVD Database).

The vulnerability allows an attacker to pass literal values as test credentials, which could enable a potential cross-site scripting (XSS) attack. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment (NVD Database).

If exploited, this cross-site scripting vulnerability could allow attackers to execute malicious scripts in the context of the user's browser session, potentially leading to the theft of sensitive information or manipulation of the application's functionality (NVD Database).

The vulnerability has been fixed in Rapid7 Nexpose version 6.6.130. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds have been published (Rapid7 Advisory).

Special acknowledgment was given to Aleksey Solovev from Positive Technologies for reporting this issue to Rapid7 (Rapid7 Advisory).