Vulnerabilities > Rapid7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-20 | CVE-2023-0681 | Open Redirect vulnerability in Rapid7 Insightvm Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. | 6.1 |
| 2023-02-01 | CVE-2023-0599 | Cross-site Scripting vulnerability in Rapid7 Metasploit Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. | 4.8 |
| 2023-02-01 | CVE-2022-3913 | Improper Certificate Validation vulnerability in Rapid7 Nexpose Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. | 5.3 |
| 2023-01-18 | CVE-2023-0290 | Path Traversal vulnerability in Rapid7 Velociraptor Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. | 4.3 |
| 2023-01-18 | CVE-2023-0242 | Missing Authorization vulnerability in Rapid7 Velociraptor Rapid7 Velociraptor allows users to be created with different privileges on the server. | 8.8 |
| 2023-01-12 | CVE-2017-5242 | Use of Insufficiently Random Values vulnerability in Rapid7 Insightvm Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. | 7.7 |
| 2022-12-08 | CVE-2022-4261 | Download of Code Without Integrity Check vulnerability in Rapid7 Insightvm Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. | 6.5 |
| 2022-07-29 | CVE-2022-35629 | Authentication Bypass by Spoofing vulnerability in Rapid7 Velociraptor Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. | 5.4 |
| 2022-03-17 | CVE-2022-0237 | Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. | 7.2 |
| 2022-03-17 | CVE-2022-0757 | SQL Injection vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. | 6.5 |