CVE-2020-7354 MEDIUM

CVE-2020-7354: Rapid7 Metasploit Pro Stored XSS in 'host' field

Vendor Rapid7
Product Metasploit Pro
Weakness CWE-79 · XSS
Published June 25, 2020
Last update September 17, 2024
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated 'notes' field of a discovered scan asset.

Key dates

02Disclosure timeline

June 25, 2020 CVE published
September 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-0346 CodeAstro Vehicle Booking System Feedback Page user-give-feedback.php cross site scripting CVE-2025-13746 ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name CVE-2024-1463 LearnPress <= 4.2.6.3 - Authenticated(LP Instructor+) Stored Cross-Site Scripting CVE-2024-8960 Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2022-32247