Skip to main content

Nexus Repository Manager CVE-2018-5307

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-02-09 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 09, 2018 - 22:29 nvd
MEDIUM 6.1

DescriptionNVD

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality.

AnalysisAI

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality. Affected products include: Sonatype Nexus Repository Manager. Version information: before 2.14.6.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2019-7238 CRITICAL POC
9.8 Mar 21

Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control. Rated critical severity (CVSS 9.8), this v

CVE-2019-5475 HIGH POC
8.8 Sep 03

The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.ja

CVE-2018-16621 HIGH POC
7.2 Nov 15

Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection. Rated high severity (CVSS 7.2),

CVE-2018-5306 MEDIUM POC
6.1 Feb 09

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow

CVE-2017-17717 CRITICAL
9.8 Dec 17

Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP

CVE-2019-9629 CRITICAL
9.8 Jul 08

Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed crede

CVE-2026-11403 HIGH
8.7 Jul 14

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and

CVE-2026-3329 HIGH
8.7 Jun 11

Credential-guessing attacks against Sonatype Nexus Repository Manager are enabled by missing rate-limiting on authentica

CVE-2020-15012 HIGH
8.6 Oct 12

A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. Rated high severity

CVE-2020-15868 HIGH
7.5 Aug 12

Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), th

CVE-2019-9630 HIGH
7.5 Jul 08

Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions o

CVE-2018-16620 HIGH
7.5 Nov 15

Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnera

Share

CVE-2018-5307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy