Vulnerabilities > Rapid7

DATE CVE VULNERABILITY TITLE RISK
2022-03-17 CVE-2022-0237 Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine.
local
low complexity
rapid7 CWE-428
7.2
2022-03-17 CVE-2022-0757 SQL Injection vulnerability in Rapid7 Nexpose
Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined.
network
low complexity
rapid7 CWE-89
6.5
2022-03-17 CVE-2022-0758 Cross-site Scripting vulnerability in Rapid7 Nexpose
Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool.
network
rapid7 CWE-79
4.3
2022-01-21 CVE-2021-4016 Improper Privilege Management vulnerability in Rapid7 Insight Agent
Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory.
local
low complexity
rapid7 CWE-269
2.1
2021-12-14 CVE-2021-4007 Uncontrolled Search Path Element vulnerability in Rapid7 Insight Agent
Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path.
local
low complexity
rapid7 CWE-427
7.2
2021-11-22 CVE-2019-5640 Information Exposure vulnerability in Rapid7 Nexpose
Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user
network
low complexity
rapid7 CWE-200
5.0
2021-08-19 CVE-2021-31868 Missing Authentication for Critical Function vulnerability in Rapid7 Nexpose
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket.
network
low complexity
rapid7 CWE-306
5.5
2021-07-22 CVE-2021-3619 Cross-site Scripting vulnerability in Rapid7 Velociraptor
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload.
network
rapid7 CWE-79
3.5
2021-06-16 CVE-2021-3535 Cross-site Scripting vulnerability in Rapid7 Nexpose
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature.
network
rapid7 CWE-79
4.3
2021-04-23 CVE-2020-7385 Deserialization of Untrusted Data vulnerability in Rapid7 Metasploit
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions.
network
rapid7 CWE-502
6.8