April 3, 2020

GHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager

Alvaro Muñoz


Persistent Cross—Site Scripting




Nexus Repository Manager

Tested Version



An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API (not allowed by the UI) which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.


The identified vulnerability allows arbitrary JavaScript to run in an NXRM user’s browser in the context of the application. In regards to XSS, it is common that the injected JavaScript could forge requests on behalf of the user, redirect the user to another site or modify the page content.


Escape content selector names when rendered by the front-end

Coordinated Disclosure Timeline

  • 02/03/2020: Report sent to Vendor
  • 02/03/2020: Sonatype acknowledged report
  • 02/14/2020: Sonatype raises questions about some of the issues
  • 02/17/2020: GHSL answers Sonatype questions
  • 02/19/2020: Sonatype agrees with GHSL comments

Vendor advisories

CVE-2020-10203 Nexus Repository Manager 3 - Cross Site Scripting XSS - 2020-03-31


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-016 in any communication regarding this issue.