cbcvebase.
CVE-2023-0599
published 2023-02-01

CVE-2023-0599: Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string…

PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.37%
28.8th percentile
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

Affected

2 ranges
VendorProductVersion rangeFixed in
rapid7metasploit<= 4.21.2
rapid7metasploit_pro<= 4.21.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.