Vulnerabilities > Rapid7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2022-3913 | Improper Certificate Validation vulnerability in Rapid7 Nexpose Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. | 5.3 |
| 2023-01-18 | CVE-2023-0290 | Path Traversal vulnerability in Rapid7 Velociraptor Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. | 4.3 |
| 2023-01-18 | CVE-2023-0242 | Missing Authorization vulnerability in Rapid7 Velociraptor Rapid7 Velociraptor allows users to be created with different privileges on the server. | 8.8 |
| 2023-01-12 | CVE-2017-5242 | Use of Insufficiently Random Values vulnerability in Rapid7 Insightvm Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. | 7.7 |
| 2022-12-08 | CVE-2022-4261 | Download of Code Without Integrity Check vulnerability in Rapid7 Insightvm Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. | 6.5 |
| 2022-07-29 | CVE-2022-35629 | Authentication Bypass by Spoofing vulnerability in Rapid7 Velociraptor Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. | 5.4 |
| 2022-03-17 | CVE-2022-0237 | Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. | 7.2 |
| 2022-03-17 | CVE-2022-0757 | SQL Injection vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. | 6.5 |
| 2022-03-17 | CVE-2022-0758 | Cross-site Scripting vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. | 4.3 |
| 2022-01-21 | CVE-2021-4016 | Unspecified vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. | 2.1 |