Vulnerabilities > Rapid7
|2021-08-19||CVE-2021-31868|| Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose |
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket.
| 5.5 |
|2021-07-22||CVE-2021-3619|| Cross-site Scripting vulnerability in Rapid7 Velociraptor |
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload.
| 3.5 |
|2021-06-16||CVE-2021-3535|| Cross-site Scripting vulnerability in Rapid7 Nexpose |
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature.
| 4.3 |
|2021-04-23||CVE-2020-7385|| Deserialization of Untrusted Data vulnerability in Rapid7 Metasploit |
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions.
| 6.8 |
|2020-10-29||CVE-2020-7384|| Command Injection vulnerability in Rapid7 Metasploit |
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
| 9.3 |
|2020-10-14||CVE-2020-7383|| SQL Injection vulnerability in Rapid7 Nexpose |
A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.
| 5.5 |
|2020-09-18||CVE-2020-7358|| Uncontrolled Search Path Element vulnerability in Rapid7 Appspider |
In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
| 4.4 |
|2020-09-03||CVE-2020-7382|| Unquoted Search Path or Element vulnerability in Rapid7 Nexpose |
Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path.
| 4.4 |
|2020-09-03||CVE-2020-7381|| Code Injection vulnerability in Rapid7 Nexpose |
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
| 6.8 |
|2020-09-01||CVE-2019-5645|| Resource Exhaustion vulnerability in Rapid7 Metasploit |
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression.
| 5.0 |