Vulnerabilities > Rapid7

DATE CVE VULNERABILITY TITLE RISK
2020-10-29 CVE-2020-7384 Command Injection vulnerability in Rapid7 Metasploit
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
network
rapid7 CWE-77
critical
9.3
2020-10-14 CVE-2020-7383 SQL Injection vulnerability in Rapid7 Nexpose
A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.
network
low complexity
rapid7 CWE-89
5.5
2020-09-18 CVE-2020-7358 Uncontrolled Search Path Element vulnerability in Rapid7 Appspider
In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
local
rapid7 CWE-427
4.4
2020-09-03 CVE-2020-7382 Unquoted Search Path OR Element vulnerability in Rapid7 Nexpose
Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path.
local
rapid7 CWE-428
4.4
2020-09-03 CVE-2020-7381 Code Injection vulnerability in Rapid7 Nexpose
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine.
network
rapid7 CWE-94
6.8
2020-09-01 CVE-2019-5645 Resource Exhaustion vulnerability in Rapid7 Metasploit
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression.
network
low complexity
rapid7 CWE-400
5.0
2020-08-24 CVE-2020-7377 Path Traversal vulnerability in Rapid7 Metasploit
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
network
low complexity
rapid7 CWE-22
5.0
2020-08-24 CVE-2020-7376 Path Traversal vulnerability in Rapid7 Metasploit
The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host.
network
low complexity
rapid7 CWE-22
critical
10.0
2020-06-25 CVE-2020-7355 Cross-Site Scripting vulnerability in Rapid7 Metasploit
Cross-site Scripting (XSS) vulnerability in the 'notes' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface.
network
rapid7 CWE-79
4.3
2020-06-25 CVE-2020-7354 Cross-Site Scripting vulnerability in Rapid7 Metasploit
Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface.
network
rapid7 CWE-79
4.3