Nexpose is a vulnerability management tool for companies to quickly identify gaps in their infrastructure protection.
Vulnerability CVE-2020-7383 enables attackers to perform a SQL injection technique, which they can use to access certain data stored in a database. This data may include information on detected vulnerabilities, past scans, and policies. An attacker could also perform SQL injection as part of denial of service (DoS) attacks on the database to disrupt the normal functioning of the web interface.
Mikhail Klyuchnikov researcher at Positive Technologies said: "This vulnerability enables a logged-in attacker to access and modify certain database records, as well as add new ones. Only a low level of system privileges is necessary to exploit this vulnerability and obtain access to data that should not be visible to a user with that level of privileges."
The vulnerability has received a score of 6.5, indicating a moderate degree of severity. The developer of Nexpose, Rapid7, has released updates
fixing the issue.