Vulnerabilities > Rapid7 > Metasploit > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2023-0599 | Cross-site Scripting vulnerability in Rapid7 Metasploit Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. | 4.8 |
| 2020-06-25 | CVE-2020-7355 | Cross-site Scripting vulnerability in Rapid7 Metasploit Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. | 6.1 |
| 2020-06-25 | CVE-2020-7354 | Cross-site Scripting vulnerability in Rapid7 Metasploit Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. | 5.4 |
| 2017-10-06 | CVE-2017-15084 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Metasploit The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22. | 6.5 |