CVE-2020-7354
Summary
| CVE | CVE-2020-7354 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-06-25 18:15:00 UTC |
| Updated | 2020-07-02 14:16:00 UTC |
| Description | Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface. This issue affects Rapid7 Metasploit Pro version 4.17.1-20200427 and prior versions, and is fixed in Metasploit Pro version 4.17.1-20200514. See also CVE-2020-7355, which describes a similar issue, but involving the generated 'notes' field of a discovered scan asset. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rapid7 | Metasploit | All | All | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | - | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170221 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170323 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170405 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170419 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170510 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170518 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170530 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170613 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170627 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170718 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170731 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170816 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170828 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170914 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170926 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171009 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171030 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171115 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171129 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171206 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171220 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180124 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180206 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180301 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180312 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180327 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180410 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180501 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180511 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180526 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180618 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180704 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180716 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180727 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180813 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180827 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180907 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180924 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181009 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181022 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181105 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181130 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181215 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190118 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190201 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190219 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190303 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190319 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190331 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190416 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190426 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190513 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190603 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190607 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190626 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190722 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190805 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190819 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190910 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190930 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191014 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191030 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191209 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200113 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200122 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200131 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200218 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200302 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200318 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200330 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200413 | All | All |
| Application | Rapid7 | Metasploit | All | All | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | - | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170221 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170323 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170405 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170419 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170510 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170518 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170530 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170613 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170627 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170718 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170731 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170816 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170828 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170914 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20170926 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171009 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171030 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171115 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171129 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171206 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20171220 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180124 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180206 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180301 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180312 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180327 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180410 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180501 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180511 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180526 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180618 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180704 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180716 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180727 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180813 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180827 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180907 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20180924 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181009 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181022 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181105 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181130 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20181215 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190118 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190201 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190219 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190303 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190319 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190331 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190416 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190426 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190513 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190603 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190607 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190626 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190722 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190805 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190819 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190910 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20190930 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191014 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191030 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191108 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20191209 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200113 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200122 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200131 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200218 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200302 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200318 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200330 | All | All |
| Application | Rapid7 | Metasploit | 4.17.1 | 20200413 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Metasploit Release Notes Archive - May 2020 | CONFIRM | help.rapid7.com | Release Notes, Vendor Advisory |
| Attacking the Attackers - AvalZ | MISC | avalz.it | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Andrea Valenza at the University of Genoa discovered and reported this issue to Rapid7
There are currently no legacy QID mappings associated with this CVE.