Vulnerabilities > Rapid7

DATE CVE VULNERABILITY TITLE RISK
2021-08-19 CVE-2021-31868 Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket.
network
low complexity
rapid7 CWE-306
5.5
2021-07-22 CVE-2021-3619 Cross-site Scripting vulnerability in Rapid7 Velociraptor
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload.
network
rapid7 CWE-79
3.5
2021-06-16 CVE-2021-3535 Cross-site Scripting vulnerability in Rapid7 Nexpose
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature.
network
rapid7 CWE-79
4.3
2021-04-23 CVE-2020-7385 Deserialization of Untrusted Data vulnerability in Rapid7 Metasploit
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions.
network
rapid7 CWE-502
6.8
2020-10-29 CVE-2020-7384 Command Injection vulnerability in Rapid7 Metasploit
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
network
rapid7 CWE-77
critical
9.3
2020-10-14 CVE-2020-7383 SQL Injection vulnerability in Rapid7 Nexpose
A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.
network
low complexity
rapid7 CWE-89
5.5
2020-09-18 CVE-2020-7358 Uncontrolled Search Path Element vulnerability in Rapid7 Appspider
In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
local
rapid7 CWE-427
4.4
2020-09-03 CVE-2020-7382 Unquoted Search Path or Element vulnerability in Rapid7 Nexpose
Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path.
local
rapid7 CWE-428
4.4
2020-09-03 CVE-2020-7381 Code Injection vulnerability in Rapid7 Nexpose
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
network
rapid7 CWE-94
6.8
2020-09-01 CVE-2019-5645 Resource Exhaustion vulnerability in Rapid7 Metasploit
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression.
network
low complexity
rapid7 CWE-400
5.0