Vulnerabilities > Rapid7
|2021-07-22||CVE-2021-3619|| Cross-Site Scripting vulnerability in Rapid7 Velociraptor |
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload.
| 3.5 |
|2021-06-16||CVE-2021-3535|| Cross-Site Scripting vulnerability in Rapid7 Nexpose |
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature.
| 4.3 |
|2021-04-23||CVE-2020-7385|| Deserialization of Untrusted Data vulnerability in Rapid7 Metasploit |
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions.
| 6.8 |
|2020-10-29||CVE-2020-7384|| Command Injection vulnerability in Rapid7 Metasploit |
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
| 9.3 |
|2020-10-14||CVE-2020-7383|| SQL Injection vulnerability in Rapid7 Nexpose |
A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.
| 5.5 |
|2020-09-18||CVE-2020-7358|| Uncontrolled Search Path Element vulnerability in Rapid7 Appspider |
In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
| 4.4 |
|2020-09-03||CVE-2020-7382|| Unquoted Search Path OR Element vulnerability in Rapid7 Nexpose |
Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path.
| 4.4 |
|2020-09-03||CVE-2020-7381|| Code Injection vulnerability in Rapid7 Nexpose |
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
| 6.8 |
|2020-09-01||CVE-2019-5645|| Resource Exhaustion vulnerability in Rapid7 Metasploit |
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression.
| 5.0 |
|2020-08-24||CVE-2020-7377|| Path Traversal vulnerability in Rapid7 Metasploit |
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
| 5.0 |