CVE-2024-5083: 
Sonatype Nexus vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability (CVE-2024-5083) has been discovered in Sonatype Nexus Repository 2, affecting all versions up to and including 2.15.1. The vulnerability was discovered by Michael Stepankin (artsploit) through Sonatype's Bug Bounty Program and was disclosed on November 13, 2024. The issue has been assigned a CVSSv4 score of 5.1 (Medium) (Sonatype Advisory, Security Online).

The vulnerability allows an attacker to publish a maven artifact containing an embedded XSS payload. When an administrator views the content of the malicious artifact in their browser window, it can trigger the execution of unwanted actions with the administrator's account privileges. The vulnerability has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If successfully exploited, the vulnerability could allow attackers to execute unwanted actions with administrator account privileges when the malicious artifact's content is viewed. This could potentially lead to unauthorized actions being performed within the system under the context of the administrator's account (Sonatype Advisory).

The vulnerability has been fixed in Sonatype Nexus Repository Manager 2.x OSS/Pro version 2.15.2. For deployments that cannot upgrade immediately, Sonatype provides alternative mitigation through Nginx configuration using Content Security Policy headers. Additionally, Sonatype recommends migrating to Nexus Repository 3 as version 2.x is under Extended Maintenance (Sonatype Advisory).