Filtered by vendor Rapid7
Subscribe
Total
69 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9757 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context. | |||||
| CVE-2012-6494 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access. | |||||
| CVE-2012-6493 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete. | |||||
| CVE-2024-8042 | 1 Rapid7 | 1 Insight Platform | 2024-09-17 | N/A | 3.1 LOW |
| Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024. | |||||
| CVE-2024-6504 | 1 Rapid7 | 1 Insightvm | 2024-09-10 | N/A | 5.3 MEDIUM |
| Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261. | |||||
| CVE-2023-5950 | 1 Rapid7 | 1 Velociraptor | 2024-02-28 | N/A | 6.1 MEDIUM |
| Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1). | |||||
| CVE-2023-2273 | 1 Rapid7 | 1 Insight Agent | 2024-02-28 | N/A | 7.5 HIGH |
| Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path. This can result in a Path Traversal vulnerability and allow an attacker to write arbitrary files. This issue is remediated in version 3.3.0 via safe guards that reject inputs that attempt to do path traversal. | |||||
| CVE-2023-2226 | 1 Rapid7 | 1 Velociraptor | 2024-02-28 | N/A | 5.3 MEDIUM |
| Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts. | |||||
| CVE-2023-1699 | 1 Rapid7 | 1 Nexpose | 2024-02-28 | N/A | 9.8 CRITICAL |
| Rapid7 Nexpose versions 6.6.186 and below suffer from a forced browsing vulnerability. This vulnerability allows an attacker to manipulate URLs to forcefully browse to and access administrative pages. This vulnerability is fixed in version 6.6.187. | |||||