Project

General

Profile

Actions

Bug #16934

closed

Potential XSS in nmap scan output

Added by Jim Pingle 9 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Nmap
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

When performing a scan using nmap_scan.php, the output of the scan is printed to the user without encoding, leading to a potential XSS if a scan is run with the -sV parameter to identify service versions.

When nmap scans a host with the -sV parameter active, it attempts to determine the version of the daemon it detected after finding an open port. If nmap does not recognize the service, it prints the text returned by the scanned service.

If this text returned by the target daemon contains an XSS payload, the page will print it back to the user. For example:

</textarea><svg/onload=alert`XSS`>

Reported by: @lujiefsi

Actions #1

Updated by Jim Pingle 9 days ago

  • Description updated (diff)
  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Fixed in commit 8db5b90652bc3508141903c34cf14df951502037

New package builds are available now for Plus 26.03.1 and CE 2.8.1.

Actions #2

Updated by Georgiy Tyutyunnik 6 days ago

  • Status changed from Feedback to Resolved

reproduced on the earlier versions
fixed in current package version for 26.03.1

tested on
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENT
nmap version 1.4.4_12

Actions #3

Updated by Jim Pingle 1 day ago

  • Description updated (diff)
Actions #4

Updated by Jim Pingle 1 day ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF