Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
6.1
CVSSv3

CVE-2020-7355

CVSSv4: NA | CVSSv3: 6.1 | CVSSv2: 4.3 | VMScore: 710 | EPSS: 0.00426 | KEV: Not Included
Published: 25/06/2020 Updated: 21/11/2024

Vulnerability Summary

Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7354, which describes a similar issue, but involving the generated 'host' field of a discovered scan asset.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

rapid7 metasploit

rapid7 metasploit 4.17.1

Github Repositories

https://github.com/tejamarisetty/ttu

RevOK We see the targets of our scan as passive entities, and this leads to underestimating the risk of performing a scan However, the tools we use to scan are not immune to vulnerabilities Testing these bugs is often hard since they require a dedicated testing infrastructure: RevOK supports analysts by simulating a malicious target and by tracking data in the security scanne

https://github.com/verakva/DVAS

Damn Vulnerable Application Scanner (DVAS) This repository contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners" [1] DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro [2] Getting Started

https://github.com/AvalZ/RevOK

An HTTP Response fuzzer to find Vulnerabilities in Security Scanners

RevOK We see the targets of our scan as passive entities, and this leads to underestimating the risk of performing a scan However, the tools we use to scan are not immune to vulnerabilities Testing these bugs is often hard since they require a dedicated testing infrastructure: RevOK supports analysts by simulating a malicious target and by tracking data in the security scanne

https://github.com/AvalZ/DVAS

Damn Vulnerable Application Scanner

Damn Vulnerable Application Scanner (DVAS) This repository contains a collection of web-based (vulnerable) security scanners, including (but not limited to) the vulnerabilities from "Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners" [1] DVAS also contains a simulation of CVE-2020-7354 and CVE-2020-7355 for Metasploit Pro [2] Getting Started

References

CWE-79CWE-79https://nvd.nist.govhttps://github.com/tejamarisetty/ttuhttps://github.com/AvalZ/RevOKhttps://www.first.org/epsshttps://avalz.it/research/metasploit-pro-xss-to-rce/https://help.rapid7.com/metasploit/release-notes/archive/2020/05/#20200514https://avalz.it/research/metasploit-pro-xss-to-rce/https://help.rapid7.com/metasploit/release-notes/archive/2020/05/#20200514
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
unprivilegedprivilege escalationCVE-2024-57040morningCVE-2025-24801CVE-2025-24813CVE-2025-29930CVE-2024-10442smartosCVE-2025-0694cryptolibmbconnect24local users
Home
/
Search Results
/
CVE-2020-7355
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook