CVE-2025-4951

EUVD-2025-15823
Editions of Rapid7 AppSpider Pro before versionĀ 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in the "ScanName" field.
Despite the application preventing the inclusion of special characters within the "ScanName" field, this could be bypassed by modifying the configuration file directly.

This is fixed as of versionĀ 7.5.018
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
rapid7CNA
4.6 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
rapid7appspider_pro
𝑥
< 7.5.018
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.rapid7.com/release-notes/appspider/20250516/