Vulnerabilities > Rapid7 > Nexpose > 6.4.15
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-21 | CVE-2019-5638 | Insufficient Session Expiration vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. | 8.8 |
| 2017-12-14 | CVE-2017-5264 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Nexpose Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | 6.8 |
| 2017-06-06 | CVE-2017-5243 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Rapid7 Nexpose The default SSH configuration in Rapid7 Nexpose hardware appliances shipped before June 2017 does not specify desired algorithms for key exchange and other important functions. | 6.8 |
| 2017-03-02 | CVE-2017-5232 | Untrusted Search Path vulnerability in Rapid7 Nexpose All editions of Rapid7 Nexpose installers prior to version 6.4.24 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | 6.8 |
| 2017-03-02 | CVE-2017-5230 | Use of Hard-coded Credentials vulnerability in Rapid7 Nexpose The Java keystore in all versions and editions of Rapid7 Nexpose prior to 6.4.50 is encrypted with a static password of 'r@p1d7k3y5t0r3' which is not modifiable by the user. | 6.5 |