VYPR
Unrated severityNVD Advisory· Published Mar 17, 2022· Updated Sep 16, 2024

Rapid7 Nexpose SQL Injection

CVE-2022-0757

Description

Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.

Affected products

2
  • Rapid7/Nexposellm-fuzzy2 versions
    <=6.6.93+ 1 more
    • (no CPE)range: <=6.6.93
    • (no CPE)range: 6.6.93

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.