CVE-2021-3535
4.3 MEDIUMRapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Searc...
Published: 2021-06-16 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| rapid7 | nexpose |
Description
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. This issue affects version 6.6.80 and prior, and is fixed in 6.6.81. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3535
- [Vendor advisory]https://docs.rapid7.com/release-notes/nexpose/20210505/
- [Vendor advisory]https://docs.rapid7.com/release-notes/nexpose/20210505/
Related CVEs
Same vendor
- CVE-2026-7573 — An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authent... (5.0 MEDIUM)
- CVE-2026-7572 — An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 ... (4.4 MEDIUM)
- CVE-2026-4482 — The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users... (5.5 MEDIUM)
- CVE-2026-4837 — An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to... (6.6 MEDIUM)
- CVE-2021-3619 — Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenti... (3.5 LOW)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)