Nexpose users are urged to update to the lastest version of Nexpose to receive the patch for the described security vulnerability. Note that by default, Nexpose installations update themselves automatically.

A cross-site scripting (XSS) vulnerability has been discovered by Yunus ÇADIRCI and subsequently patched in recent versions of Rapid7's Nexpose vulnerability scanner.

By providing URL-encoded HTML tags (including script tags), an unauthenticated attacker can lure an authenticated (or unauthenticated) victim into disclosing sensitive details regarding the Nexpose session. Nexpose users are urged to update their installation to the latest patches if they are not already on an automated update schedule.

Vulnerability Details

The following proof of concept query is sufficient to exercise the vulnerability:

GET /vulnerability/vuln-summary.jsp?vulnid=-1&nodeid=-1%27%3Cscript%3Ealert(document.location)%3C/script%3E HTTP/1.1  
Host: 1.2.3.4:3780  

If an authenticated Nexpose user follows this link, she would be presented with a standard alert box displaying the URL location.

Affected Versions

Nexpose versions 5.7.19 and prior are affected. Version 5.7.20, released on November 27, 2013, contains the fix, and are not affected by the vulnerability.

Workarounds

Users can mitigate the effects of XSS vulnerabilities by browsing Nexpose consoles in private/incognito browser modes and avoiding websites with untrusted user-generated content while logged in. In addition, site administrators can restrict access to Nexpose consoles to trusted networks with firewall ingress and egress rules in place. Finally, airgapped installations are generally not vulnerable to non-persistent XSS vulnerabilities such as this.

Disclosure timeline

2013-11-22: Private disclosure by Nexpose user @yunuscadirci

2013-11-22: Vulnerability validated by Rapid7 product engineering

2013-11-23: Fix implemented by Rapid7 product engineering

2013-11-27: Update released to address the vulnerability

2013-12-10: Discoverer and Rapid7 coordinate disclosure details

2013-12-11: Public Disclosure

Again, thanks to Yunus for the disclosure -- if you uncover a vulnerability in any of Rapid7's products or assets, we'd appreciate it if you reported it to security@rapid7.com. Our PGP key is Key ID 0x2380F85B8AD4DB8D.