Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Business News

Critical SQL injection flaw fixed in Rapid7’s Nexpose vulnerability scanner

Rapid7 has patched a critical SQL injection vulnerability in Nexpose, its on-premises vulnerability management software.

The flaw, which has a CVSS rating of 9.8, arose because valid search operators were not defined, according to the CVE description for the bug, which is tracked as CVE-2022-0757.

Consequently, attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the SearchCriteria.

This issue affects all versions of Nexpose – alternately known as Security Console – up to and including 6.6.128.

XSS in the mix

Rapid7, a Massachusetts-based cybersecurity firm, addressed the issue in Nexpose version 6.6.129, released March 2.

The latest version also includes support for TLS 1.3 services, an added vulnerability check for Log4j, and additional Metasploit-based vulnerability coverage.

The Nexpose vulnerability scanner also contained a medium severity cross-site scripting (XSS) flaw.

Residing in the shared scan configuration, the reflected XSS bug enables an attacker to “pass literal values as the test credentials, providing the opportunity for a potential XSS attack”, reads the description of CVE-2022-0758.

The CVSS-6.1 rated bug impacts versions 6.6.129 and earlier and was fixed in Security Console version 6.6.130, released on March 9.

The bugs were uncovered by Aleksey Solovev, security researcher at PT Swarm, the offensive team of Positive Technologies.

The Daily Swig has contacted Positive Technologies and Rapid7 with an invitation to comment further. We will update this article if and when they comment.

Source: https://portswigger.net/daily-swig/critical-sql-injection-flaw-fixed-in-rapid7s-nexpose-vulnerability-scanner

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO