Vulnerability Details CVE-2023-0599
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.5%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2023-0599
-
cpe:2.3:a:rapid7:metasploit:4.15.0
-
cpe:2.3:a:rapid7:metasploit:4.15.1
-
cpe:2.3:a:rapid7:metasploit:4.16.0
-
cpe:2.3:a:rapid7:metasploit:4.17.1