Rapid7 Nexpose versions 6.6.93 and previous versions are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated malicious user to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
rapid7 nexpose |