Persistent Cross—Site Scripting
CVE-2020-10203
Nexus Repository Manager
3.20.1
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API (not allowed by the UI) which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
The identified vulnerability allows arbitrary JavaScript to run in an NXRM user’s browser in the context of the application. In regards to XSS, it is common that the injected JavaScript could forge requests on behalf of the user, redirect the user to another site or modify the page content.
Escape content selector names when rendered by the front-end
CVE-2020-10203 Nexus Repository Manager 3 - Cross Site Scripting XSS - 2020-03-31
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-016
in any communication regarding this issue.