FISA

  Rapid7 has patched a critical  SQL injection  vulnerability in Nexpose, its on-premises vulnerability management software. The flaw, which has a CVSS rating of 9.8, arose because valid search operators were not defined, according to the  CVE description  for the bug, which is tracked as CVE-2022-0757. Consequently, attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the SearchCriteria. This issue affects all versions of Nexpose – alternately known as Security Console – up to and including 6.6.128. XSS in the mix Rapid7, a Massachusetts-based cybersecurity firm, addressed the issue in Nexpose version  6.6.129 , released March 2. The latest version also includes support for TLS 1.3 services, an added vulnerability check for Log4j, and additional Metasploit-based vulnerability coverage. The Nexpose  vulnerability scanner  also contained a medium severity  cross-site scripting  (XSS) flaw. Residing in the shared scan configuration, the  reflected