Headline
CVE-2022-0758: Nexpose Release Notes
Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. With this vulnerability an attacker could pass literal values as the test credentials, providing the opportunity for a potential XSS attack. This issue is fixed in Rapid7 Nexpose version 6.6.130.
We fixed an issue where some scan engine updates were being skipped. This caused some engines to be out of sync with their updates.
In Shared Scan Credential Configuration, test credentials no longer allow literal values to be passed, which could have provided a potential opportunity for an XSS attack. Thank you to Aleksey Solovev for disclosing this issue.
An issue which prevented users from deleting custom policies when arf files were corrupted or missing has been fixed. The policy deletion will now complete and a warning will be displayed in the console log, highlighting the arf files.
Goals dashboard cards failed to load correctly, which caused the entire dashboard not to load. Dashboards now successfully load in this case.
We fixed an issue which caused some assets with the InsightVM Agent installed to fail to remediate vulnerabilities in the Console UI if the Agent data is never imported.
We fixed an issue that was causing errors in the console and engine communications to be suppressed.
We fixed F+ for Rule 4.2.9 in CIS IBM AIX 7.1 Benchmark 1.1.0 and for some rules in the Apache http 2.4 policy v1.3.0.
We fixed an issue when asserting network interfaces.
We fixed an issue that caused scans to be slow to start and consoles to lose connectivity to shared engines if a scan contained large IPv6 address ranges.