Published on 2023-11-06

CVSS · HIGH · 8.6⁄10 · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW

Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-4 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1)
This issue affects the server only.

Problem:

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79

Product Status:

ProductAffected
Rapid7 Velociraptorbefore 0.7.0-4

Credits:

Mathias Kujala

Timeline:

  • 2023-11-02 - Notification of the issue
  • 2023-11-06 - Release 0.7.0-4 made available on Github