XSS in Rapid7 Velociraptor

CVE-2022-35630

A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.005 (68.1th percentile) — read the EPSS interpretation.

Affected products

Rapid7 Velociraptor — versions 0.6.5-2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-… (x_refsource_CONFIRM)