Bug #16934
closedPotential XSS in nmap scan output
100%
Description
When performing a scan using nmap_scan.php, the output of the scan is printed to the user without encoding, leading to a potential XSS if a scan is run with the -sV parameter to identify service versions.
When nmap scans a host with the -sV parameter active, it attempts to determine the version of the daemon it detected after finding an open port. If nmap does not recognize the service, it prints the text returned by the scanned service.
If this text returned by the target daemon contains an XSS payload, the page will print it back to the user. For example:
</textarea><svg/onload=alert`XSS`>
Reported by: @lujiefsi
Updated by Jim Pingle 9 days ago
- Description updated (diff)
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Fixed in commit 8db5b90652bc3508141903c34cf14df951502037
New package builds are available now for Plus 26.03.1 and CE 2.8.1.
Updated by Georgiy Tyutyunnik 6 days ago
- Status changed from Feedback to Resolved
reproduced on the earlier versions
fixed in current package version for 26.03.1
tested on
26.03.1-RELEASE (amd64)
built on Wed May 20 15:19:00 UTC 2026
FreeBSD 16.0-CURRENT
nmap version 1.4.4_12